23542300x8000000000000000294695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:22.658{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B68861220BC9AC1BE1D9EC19F672359,SHA256=54934F9FFF771EF9AEC3379C214F5BFC26EF9AAA79DD48466994FEBA29C199DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:22.487{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5D2478B288C4DA22E4651395DAE5F2,SHA256=430975F3682D86A0D3878A41B5C64DB9160481520FC45F29B1438297B1B4DBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:21.534{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61321-false10.0.1.12-8000- 23542300x8000000000000000294696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:23.790{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9423455D4632B87A44D2A12A68994115,SHA256=EACCAC2F4263C04DB8FB223272961543D6F5FFE4D100288989413796C7213364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:23.508{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792992772635EC93734E1DD993BDDCB,SHA256=607D2D7FDFCDE4BA199CA75A0315C94C99C349156209CBDBD942AF6666360736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:21.688{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54833-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:20.967{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.939{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A280F38178C6F802B5C64FDE88D404,SHA256=26AA9D4F54BF618ACCCFF41D5BAE85B392C4A5AA4230E1F118D2C7376331D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:24.592{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E12CCD88547B77C8AFE8EEAFDA8911B,SHA256=2CA4D1182831E94B0232D6EED9118D981F75F89F891FEFE894AAE4DA8AC4727B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.722{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.712{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.705{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.701{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.699{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.672{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.664{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.653{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.648{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.641{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.634{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.626{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.615{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.603{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.593{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.582{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.497{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:24.494{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000306037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.692{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF9172CE0A581264243EA0F2366459F,SHA256=3D14B920521CC4854E5D3E1FFF6304B52B36F4E6D703BEEDCB9AEACE184E29A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.184{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.182{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.178{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.174{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:25.172{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000306036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.292{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D959744D99944152D44B43D68BA6E01E,SHA256=B93387642590173E60C768F83E059A9E5DDFFD639A535DA83BF329725CF60681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:26.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A12A3D8A817539CAD0760E5DF22188E,SHA256=94083344AF2E02EA6F25249F97DA957B35B9077F587983A823540DBDC1900C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.791{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.790{D25361F1-D019-6305-0B00-000000007502}624748C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000294729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.783{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000294728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.782{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000294727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.780{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000294726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.778{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000294725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000294724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.777{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000294723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.774{D25361F1-D01B-6305-0C00-000000007502}8284688C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.010{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7681C5DC10641746A29AC19C6FBE191,SHA256=E3845C81625488DFF052E9F14DFC6970DD5CCA5AF74D1AE458FE24579B924B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:23.958{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54834-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:27.841{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFB4B5C61F82DF8F4A4BDE1C9156D95,SHA256=50CF0EC3652C0EFD06B365A3EE217AD5EA301043CA0D60F76045A807BFCB45DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.900{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.898{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.896{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.893{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.890{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.887{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.886{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.878{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.852{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.844{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.832{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.809{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.803{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.794{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.790{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.788{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.786{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.782{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.779{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.776{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.774{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.773{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 13241300x8000000000000000294756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000294755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000294754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000294753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8b79f) 13241300x8000000000000000294752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xc7304efc) 13241300x8000000000000000294751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8b79f) 13241300x8000000000000000294750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xc71deaa6) 13241300x8000000000000000294749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000294748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000294747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000294746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000294745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.694{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000294744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.694{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000294743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.690{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000294742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.573{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.573{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000294740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 09:56:27.573{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-854.attackrange.local 10341000x8000000000000000294739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.573{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.246{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.242{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.233{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.232{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000294734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.226{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000294733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.094{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B6C86BE8E620B15C7FC0DB47979898,SHA256=A0CF9913DF592581BAFA0D06CB38B862CCFEE544409A0BE352468D5069A3D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:28.957{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6033F1F7B2CD3EF92F69D30C0C087,SHA256=745EF4274AF12108BAE0BBA8CC611E626C5EC9CB44460405E67BC6B41E9389AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.154{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61325-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000294786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.154{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61325-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000294785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.047{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61324-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.047{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61324-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.038{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61323-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000294782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:27.038{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local61323-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000294781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:28.625{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330839E3F67EF3D1A7A1691EAB130E36,SHA256=760223DC039B9D9716F60EB90622F22F89969300D842926DFF5F97B4F45F6EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:26.671{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61322-false10.0.1.12-8000- 23542300x8000000000000000294779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:28.425{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31699DFEE118DF11B9B0D4646A0101DB,SHA256=E462D114942C535AF760445236B1D3F19231C0C8D2280E144672E7954C31A5EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:26.130{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54836-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:25.977{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:29.509{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24202E742E35645CC9B200CFC405CB2,SHA256=604BEB0FA2232049F909C0694B44BD3A747CB276A578B8C64600128D888DBCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:30.655{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C54BBCC340A00D2B90D92D66281A80E,SHA256=54B95603C63CFEBF13FACB553AFE5AFBA480A3981379A16C3FACBE7D9BE9415E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:28.328{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54837-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:30.041{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A03B738D5DBAB1C4CF4C81C52344A6,SHA256=BD8C361473D1ED1BF5D7915F8AE41AE2391A973754C434FA4E0BD7F1DB1864AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:31.772{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F93625A3AC4BB6C13AF547EFF61DD0,SHA256=A2759C9D1005839E7E5CAD596E8CBC1790C5579014625343B530E8BDD0331ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:31.171{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37C1D33C6102F2CCADECAF9DACB115B,SHA256=6175E40F8996443B6693787184D61EA95B02723F55E750AD82D0B95885086B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:32.789{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FFE8F1D645B2018F0CF17F1DB0DE60,SHA256=5754F4ABB73F021423A3579EBDD6D9F668FCCA131A1A94FA3A938DC91D6F0820,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:30.528{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54838-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:32.242{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680A713EBA4162EF2DA897FFD1312B66,SHA256=D0E3B1EE28EEFDC69B779754C8FE665E38740A0C6F7FEBEBC5BD856A5278315A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:33.835{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D43DB5D0CCA2570F48A2A449FAA3EFB,SHA256=300A468197298BEDC391E8A8653A6A0BD2D800CA6C91B137DD1B13386D15E305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:31.985{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000306049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:33.346{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CAE3A93F2EAE12CC84D5A48297B8E8,SHA256=2B661495238918A49BE6AF08292F57AAD33D12087B9CA0465989D4E22F9BD739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:32.791{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54840-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:34.457{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F42C1D71109C904FDEF63FEE9DA0A01,SHA256=1733096DF876247067BD993F35B9C59D7EC72D4FBAB91F0EA39A678381633379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:32.582{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61326-false10.0.1.12-8000- 23542300x8000000000000000294793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:35.066{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296572C058FF03D742E8E0E5F187FC22,SHA256=9392F2561529B8A36021AE14B1112141E36459F8A867DA1B4AD764EB242ACDF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.981{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.966{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.545{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FB601F79E5B46DBFC0818EB7FA7C5A,SHA256=1C729674201C0D7471F1C03AC27136975F57937C85B9F920D2C2D571A70B60AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:35.093{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54841-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000306110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.613{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C63F7C923CF75B814D2AA8176F3F1B2,SHA256=83801E083A0370E51054424C245FE2416BA0B0E97AC637418D8EBD311B3FA870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:36.183{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCFE2505824B2A1DBE786A6FEED99EA,SHA256=CB3FB8D12650492F60878B28137213F2A2EFAD31CE7F2F0FC3E3FF2322191E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.515{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DD9D88B164A1077333E36763870465,SHA256=3DC5862A595F2306E70BF5883108CC6B6F3BFCA0ECCC06E0BD028082813BA8B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.441{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.440{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.439{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.431{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.428{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.424{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.422{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.419{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.414{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.410{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.408{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.403{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.401{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.388{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.362{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.360{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.358{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.358{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.356{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.355{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.338{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.322{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.278{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.264{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.256{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.254{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.251{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.248{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.244{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.243{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.240{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.233{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.218{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.215{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.210{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.202{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.200{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.066{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.055{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.043{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.023{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000306056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:36.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000306112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.729{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F99D694E2735C09D36FFB20C4BE8CB7,SHA256=4108B19BD3A2A36C66DB70ACCD9AA7E73813ABC585EA516FB2CC8DC0CADCEEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:37.284{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEDAECFF52D39788726FC8E264F86EA,SHA256=7A29AEBAB09E062910F97B0B35A597C43B61D156D713150BF81C5D14FE21669B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.846{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0C8D92244D69FF3E7CBB9C7090C990,SHA256=76365C12B8B0877F9CB849227F1AA52FA6C702D6897EA4527CAF2A323D750207,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.363{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54842-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.433{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F09CA80B041FF601A5E44D719F5DCC,SHA256=A4FF17EA2B02093324C88D587413A1E9BA03BF714A4E53EA88BE426508011621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.328{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.321{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000306118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.321{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000306117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.320{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000306116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000306115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000306114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.316{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000306113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:38.314{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.318{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2A52E706B175039D15D76E4AC66A9F7C,SHA256=FDBF378842DC93F7BE7E22C11C6DBC58E7677EFD4545B4CEE40CABF8C3F2FD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:39.832{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417D2FC2065F90D0B366B610563D6FE3,SHA256=41BFAB87A9F396E6168BC3C6521C1ECE1346DDA2F976A96A4F2C3F7BFE55A236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:37.910{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54843-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:39.582{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF61AD7FCC59FADD58E531B673DA11B8,SHA256=98CD18E0B5C8E3546AD851A164D8745EEC83AA073D9A816420556E96DED67A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:39.517{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB74D7710AFF9FF0F164DF5F5AD1F94,SHA256=9914F5C84FFCDD873222C85D55FBA34717FEDB8F580A21E0C3C28185DA425454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:40.863{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5ACDC0A3A483460581F227B19F4ECFC,SHA256=6111AEF1654B48A75286DE26E3CAC2DB464E631098FCE333A8F1653276831839,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:38.525{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61327-false10.0.1.12-8000- 23542300x8000000000000000294801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:40.582{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CAACA4EC8CB70CCDA30DBA6B7A2A54,SHA256=AE416BE59CD4A5458911021E03580439DADC25BE3EAE64FA6BC3A4B1A640F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:41.978{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8853D38E660FB43D06712A77C399603,SHA256=711C55D5B9EBE03A884DBDA6FA397CD638F1672B13E0DF9DEE7465868FA008C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:39.634{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54844-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:41.703{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC16DC4709C3435D7893D1FBB2E1D53,SHA256=01963BC978339596FE6FD9D3A4DC4707939AA1263D3411E35681C28262AF085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:41.383{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=53A691A3AF9391168BB5003BAEE672E9,SHA256=72D0809B1749E771CEE550E9CEE9A52A51529E145888694A3BF932438747BE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:42.849{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A3AA617EF3AF6CD364DCDBBF3F0BF4,SHA256=9377BF579EEBBAD27C0734293D46831F765F87E8FFF8BD450266E51E8B0D3E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.956{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC86ED15937CC7D5A0E04BEFE4361F37,SHA256=C87EC903B18C16F51B1D2DDB1E3498FB0440FC7E7A07BED3D709CE28A227BCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.897{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-156MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.715{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB16E80A5E6A67A94C1ED5F85D682413,SHA256=B4A15244E1ED16363B96A567F3B47956C41C657E885C171D27A605CD7133351F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:41.849{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54845-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000306135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.917{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39E2744D453B04F93BFFC41BA018A3,SHA256=BDF6DDE7AB476043DBE9E3915B25AB762B07C6FB3750103EB246E704CAB98A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.916{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:43.964{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0E8131ADD707C0B232F71C4C557CDA,SHA256=24C48C2383BA3071A067B03EF67540E32710E6D557672DE0309DE52FED0A5BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.878{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.635{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.630{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.627{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.624{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.622{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.599{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 354300x8000000000000000306137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:42.960{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.594{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.584{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.579{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.573{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.565{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.556{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.547{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.539{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.531{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.518{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.480{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.478{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000306138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:45.146{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FDD6844B57FF38DAD05A962419C57D,SHA256=662819E6E8E7DC6263051F3CF8F12D15926005F313764FD213C4BBB387F3F4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.072{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.070{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.068{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.065{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.063{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:45.018{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21059C2ED60EE5F46BADE3E70C83E181,SHA256=B63B8585121225078A3DD64F0DFA363223F0F7C29D7165EC00692AB2FAEA2257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:46.177{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1324CCB32D41C8E0B68E854A8DBF7C00,SHA256=A9C3164064BD81DD928FB511FCAC2EFCCC639331C386D99A745BBD675741DC77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:44.477{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61328-false10.0.1.12-8000- 23542300x8000000000000000294831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:46.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693A6D956B5125165FFB085CA8638D16,SHA256=2382A255B83B79B574C5DA264E22C49D8BB092430870C5C50DC19FC7E4419988,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:44.149{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54848-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000306139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:43.628{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000294860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.746{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-E742-6305-7703-000000007502}2796C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.743{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.736{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.733{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.731{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.728{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.726{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.720{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.703{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.696{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.687{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.671{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.664{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.656{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.651{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.648{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.645{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.639{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.637{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.636{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.634{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.633{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.217{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4A60577CF8865F8B004D45747BD018,SHA256=5989AF2D940B03E9CC3C39F4DC030FAF641B1239D6789BAEAFB6BC29AB3DA9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:47.214{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D80D665C19B56AC509E4A8E4F0FEDD6,SHA256=7A71F4BA5F1360D3058E91E91281C92E1659FC0918D55C917398FF8873593E8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.122{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.120{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.110{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.108{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 10341000x8000000000000000294833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:47.101{D25361F1-D530-6305-4001-000000007502}40323900C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000130AEA90) 23542300x8000000000000000294861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:48.316{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8C227B9D757D0A5C4A7664279E7711,SHA256=F9F6735A956BAEBAA1B7255AD9297448CBB04783F6440F586099052DA0CB76A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:48.231{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4C06B1D89C06ABBB3A55E39FB0E788,SHA256=5AFED5A98D1A47C6A2FAA5799C91872838970EA433C2A30BB02A31C2816A4214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:49.448{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF3802C28D3ED98A85B18AAED9CCA7,SHA256=4AD1775A73196199D23AE80C3C31D903528B11CCE0512BA881B5F06BB441939E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:49.346{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9621785A67F23558B423C3C191392C1B,SHA256=2669ED90CF1AAEED79718092237CF6AA022DDD23D72CD5D6352B16B6C4EB86EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:46.449{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54849-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:50.681{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1149104FB13C61D3228640095FAFEE0,SHA256=D815FCF94879531CE1AF3AC606E621413ED461185DF6E52CCC3FDBA62F924A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:50.462{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72E4E927B98F7F5D067C6F4983B6058,SHA256=32269BBA48C7FFDC57152314891FD0047C2B366473102665E005A82BB299DDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:47.975{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54850-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:51.802{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198F82E2F0296545E59AB79825B1BE8,SHA256=E09B9665CB4424A1D4E629BCBBC3A5DE12B264E29DF0CC869DA1BD36A9776986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:51.565{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF932BE5A47BF5BA67FF5C7CB7E4D87,SHA256=26ECD86F9E82B5DE69D8C1E4AE851A152CDC0F096628E7F29822BBCD2C3105FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:48.733{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54851-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000294865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:50.493{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61329-false10.0.1.12-8000- 23542300x8000000000000000306150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:52.677{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EF6B5DC58BA86081C0878ECE9792D2,SHA256=554EAFFE261E14C301959875A719AE3F9C226D53521837FDC18AE4DC6033D3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.861{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1EBAA72DBB4262B09908A2DC722EE6,SHA256=F76E9F080F03D33D6A2F4CF2C65EA6B98DEC94BEDBEBCE58FBFE5A51738A0A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.695{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83D60C0C30E4A684D4AB3AC5674859AC,SHA256=ACD772EAE6406A3A7CA8583A37C090E09A9C56510D5BCF00FB24BF3466BDB12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:53.064{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ACA6C72926571F88923CAE755832B2,SHA256=462039D7EA41BA123457DEEA1C86DDE3EF1B5EF219E8538D46ADDEE7EF67D370,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.306{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.303{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.303{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000306199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:51.033{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54852-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000306198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.147{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000306163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000306157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.131{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.132{F6DB49F2-F5E5-6305-8305-000000007602}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:54.814{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767F73E75AF484E7F3CDBAA51B9A45D6,SHA256=0BFEF98016AE1A478B1AA838CC8C2C1ACFA8C5B50E171BB900FDABB2F7EC6A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:54.571{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-156MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:54.081{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDD26162AEF67DC92F3C8E67DA72883,SHA256=E85111F16673528835A1770EF277C02265CB085E14293BE795EFCA2B728041F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:54.195{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D1F8E04665E8A8858D036B31182B09,SHA256=B4A70A16A5B12D6EBB2868E72E83C7E294EBB290456358E7C8A8DF12F692B6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.582{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.184{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC0A1DA078E22F6B3AE2CEB4E867C50,SHA256=231C8C4F008AAEEB063F13A1CB29C85BA012690F7ACE483C9276C09DCD938EE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.998{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.985{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.977{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.964{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.963{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.963{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.961{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000306311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.961{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.959{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.958{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.957{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.957{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.949{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.948{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.947{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.946{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000306277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000306272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.934{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.930{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F457FBBE130361C5122D075F7E227BD3,SHA256=B686859AA380BC3F634458FB755FC383CC2650D47DD70506776D74AB2D36BA24,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.514{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000306263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000306261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.498{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F6616C94996ED541861795BA3A21E9B,SHA256=5BD92FE5C411EEBE7A72C1E2FAE1029912843B39D11C112EE59B71CAFEE296D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.360{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000306251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.345{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000306229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000306227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000306226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000306224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000306223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000306220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000306215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.329{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.330{F6DB49F2-F5E7-6305-8405-000000007602}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000306208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54854-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000306207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:53.042{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54853-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:56.283{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DEA86FEB24538BAB694FF88D2D6E5C,SHA256=C65D5FEC3BE291BDCC5410CAF002E49DE2EED16990D12119A0FA3EA495474382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000306372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.348{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C6795D8A2AD50903ED754BF3CEBA32,SHA256=B13EBB6B923BD73B0FE9B1C3B47BB357BD3845889626CFC748639C526526A128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000306371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.274{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F072-6305-DF04-000000007602}4628C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.273{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7E04-000000007602}712C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.272{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ED3B-6305-7D04-000000007602}5132C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\dumpcap.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.267{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-ECEB-6305-4A04-000000007602}1892C:\Users\Administrator\Downloads\WiresharkPortable64\App\Wireshark\Wireshark.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.265{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.262{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.260{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.257{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.255{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.252{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.248{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.246{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.244{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.236{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.209{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.207{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.206{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0101-000000007602}5972C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D257-6305-0001-000000007602}5416C:\Users\Administrator\Downloads\qiew-v1.2.1-win-amd64-3.6\qiew.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.204{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.191{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.177{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.152{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.121{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.118{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.114{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.111{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}16884808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000306333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 734700x8000000000000000306332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.107{F6DB49F2-F5E7-6305-8505-000000007602}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000306331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.102{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.100{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.096{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.090{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.077{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.069{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.063{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.057{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.049{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.039{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.012{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000306319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:56.007{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 354300x8000000000000000294873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:55.711{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61330-false10.0.1.12-8000- 23542300x8000000000000000294872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:57.385{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA106CF3C2856BE1AC364BBE45F0F8C2,SHA256=08B67B0BA531B035E222717E492DF73827CF4DB712DD4FF5FDD77D568191CED1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}61244128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.676{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000306421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.515{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.515{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.514{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.514{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.498{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000306381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.497{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.496{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.493{F6DB49F2-F5E9-6305-8605-000000007602}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000306374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:57.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6563F11BEED89C92A49CBDD5A5D96AD7,SHA256=267FB08A08683EDA88ED786A4DD27A40FD270D5D4AF5C00C5875A06E8C57AFCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000306373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:55.513{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal54855-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000294874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 09:56:58.519{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3883FB322FE4F9276BDD2BA9594E2587,SHA256=2F4712026CA934B3D42B90CD458568DF1A557A0BB3448A5740F538D00872365C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.879{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.879{F6DB49F2-F5EA-6305-8805-000000007602}21643752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.863{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.863{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000306532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.827{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000306527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.826{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000306526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.733{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCEB63B01E4F8532401B1C7FD3BAAC2,SHA256=428B8B277C09983020DB44DA6610B92B9160761A8F1164DB1471A99155821F03,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.677{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000306491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000306490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000306488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000306487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000306485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000306480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000306479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.662{F6DB49F2-F5EA-6305-8805-000000007602}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000306478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.378{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000306477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.378{F6DB49F2-F5EA-6305-8705-000000007602}49284664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000306476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.362{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000306475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.362{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000306474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.315{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16277692CA8DBA03BCC320119FDBE1F4,SHA256=B991A75027B8881CD8DFDC09C3BC9D61C81EA3CE94B75BE404D74C75A0755024,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000306473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000306472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000306471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.199{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000306470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.198{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000306469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.196{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000306468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.196{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000306467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.195{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000306466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.195{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000306465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000306464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000306463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000306462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000306461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000306460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000306459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000306458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000306457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000306456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000306455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000306454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000306453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000306452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000306451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000306450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000306449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000306448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000306447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000306446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.177{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000306445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000306444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000306443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000306442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000306441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 09:56:58.162{F6DB49F2-F5EA-6305-8705-000000007602}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000306440