354300x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:43:58.901{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:00.451{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EA3A6E057AC6F8A68A2847A7392575,SHA256=8A7D8F4BD72BE141D565DE11DABEB8740C122EC3141B85C2ECA7DBA4277392C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:00.476{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3517B873015C4D6EA41DF5205C9A8C7,SHA256=22EE0BAC2336933BB6C52B7D97D716814DE7CDAB9594F5413DCDBBDC36C75AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:01.546{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3584944DC68F612D4ABD001BC0E9A98,SHA256=817C019C8D121B1EEFA8FE2E81D760E60A6FB8DBB7A275168DDD0876BEA8729A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85900C07E21B04C5A0E968506C62D12C,SHA256=FAF60BBBDF6B08C3362FEAFA25F16E223F92EB52A28F9201A84B6F77EBBB8DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.851{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79166572D7319749DDD80585C8FCC6,SHA256=57E7952DA2B301F3F5911884E5CF54969F2258C1119AAB3BC803154C1A3FDFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.652{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB706ABFABE1936C57CDF8668695993,SHA256=C74E31DAC39AFCA8B00A37B80215337D68F016431048715F54F1ECE9966B4085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.533{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-045MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:03.746{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E946A171E1B3377EDD1859DF0B55A7,SHA256=7D31F8C66F3964DDFD6B9622AAE97E4E63C40F5271130D7158C7999F83B78665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.532{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.837{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53684-false10.0.1.12-8000- 23542300x800000000000000037947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:04.833{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA00F42781775BADF3800619CDFA670,SHA256=F90CCFE89950F5C15713CD9B462C4FA0BDBD67F9B55B2195C2D3937B4E3E45E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.291{3AAE424D-DEE3-630D-1400-000000007502}8641180C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.021{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C698B244B741A4851055AE30A9667,SHA256=7C182F43639C5D2949E0D2706A0D91C31BAC9EB58E97D6773F4CB2EA448BF4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:05.934{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72473F15DADFAB212999E0C5EED478,SHA256=C9DDA93340D2EC088CBF7F9802C4E838FFE6D48627617A583C06BE90AABC95E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.937{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50265-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC880F50F8C4A4F68C39C22C11C1951,SHA256=C29F29F77A58F08A953C9DB358D3A03E8F391EAD31F994DCEA3D491E31663536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.120{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B137FEBC54019DD1F01F25C3560999,SHA256=834D06451A4D0542FB6AD33A2C364D3735A47899CEE28ECD6D08B89D8D85D9FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.211{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB928D40B2061134735B869B5C1344,SHA256=E3DF81EDAE4B794A4E2DE0591F702A8446172755D30597CC2390BD306B3F2E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:07.297{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.021{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE65D8DC350FF157A66CE0485428F4B,SHA256=82640DB4C88D95E0B95CBD5B7BFA713CA021B106F5659324020231D893E9261C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-1152022-08-30 10:44:08.706C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.690{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.595{3AAE424D-E695-630D-9303-000000007502}28646088C:\Windows\system32\conhost.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E695-630D-9203-000000007502}55046024C:\Windows\system32\cmd.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.538{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.485{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F31491D29246E767555ABA248A03F2,SHA256=FAF2EC6D435DE4D8CD3B0F491F319B5168682C66AF9A604978C54511B91C7927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:08.108{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E706425B50B1802A7203FFBFEB0E85,SHA256=FF700F151EB900692ECB32AAE0124DB7CFFCC777315D493D772E3820A66F9C5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.673{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.719{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=033D337EF9B8FCD8F92FA195CDD9F965,SHA256=F98CAD59E4BB8F6A01BDD100AA3264527DB9B0164C49AAD169D0902FC0CFAFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.718{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.717{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.661{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.654{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.651{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.649{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.647{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.613{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.599{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.592{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.586{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.577{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.570{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.557{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.548{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.539{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.472{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.469{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.413{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.195{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD1309B2B4B62079D1DDD764C2DF63,SHA256=BC15E07E1D061B92C32871AB7786128C18DBA6720909DDA4B36407522311DD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.767{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.526{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0229918CE4A16C202E7D4445110F75,SHA256=29EE99F7A3DD195959F51E0BA83EABE0429EBC28C03BD9A0CE96E41323D60BA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.979{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53685-false10.0.1.12-8000- 23542300x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.330{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11D1BFD3431EE1F39112B2CC277BDF01,SHA256=F9A661EB1F4EC8F60149903272DBEAF25EC477B2647D2F72A849DA027233ED93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.234{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.233{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000037981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.172{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.165{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.163{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.160{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.152{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.134{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.129{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.835{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:11.345{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE42F2FA96D3765D6970AAA32E77519E,SHA256=01370F3B8F1CE391DC6548B6FB41EE50A9F2C865DBB4CFAE087C878644094A0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.175{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53686-false10.0.1.12-8089- 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.722{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.702{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.686{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.681{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.638{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.594{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.579{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.575{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.566{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.554{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.538{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.536{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.526{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.508{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.504{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.495{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.460{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.454{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.445{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.434{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.422{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.416{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.399{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.391{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.930{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.822{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.812{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.806{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.779{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.767{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.752{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.747{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.745{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.743{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.740{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.737{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.735{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.734{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.730{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.728{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.727{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.726{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.725{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.724{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.722{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.322{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49FA525D37239854E572EA0A6DCB2E2,SHA256=CE5B057DAEF77E0EE524352EFC545A4625B0498BE0C2720FA23F3D7978EEBE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.270{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F686C1066F92F522E7917B50417D00D,SHA256=8DCA464C7F33A4C87B13749F96AD5ADD5BE5B350D29F1F4BE74F39D9CB736CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.081{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.204{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.203{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000038009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.389{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983004FFA18DC64ACBD3FEA99DC0B9CE,SHA256=607D84F30B87B5FC262E373ADA8C88D470CD32F5783CC7908B70A04FF835D4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AB7CBC043F030D8539BF585A88299D,SHA256=2442E02F72D98C2E2448328E212709F6EBB5D24CF52BADB93E1E3C8300E4ABEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D735EF27421EDD24F626FDACD61BF910,SHA256=FB5837E244ED0ED4C8C701C2B3FBA66FE52F64D660C4C312F72BEC79FDB34C09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.022{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90A302BCCCC711DD8D227ACF7915589,SHA256=09AECC544E61A0901E4EB175B6569BF4B26D9651E0F8F83A51AD3DE4D178925A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:15.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DE8C811A88763B5CBF744B05557B27,SHA256=E8E3C3B73D2CAE8EAA1E8C9898536C16F2BFB8CFBDC39A55C2EA1FB324265B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49F83F67D80C84CC3BAA77C56EDF3D5,SHA256=FE15AA12324C620532CDA28E3BCC1932BD8F7F926C76881CA65A5EE72A17EAC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:16.669{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C2DEA8C0DA76A6E871CB168EA0BEE7,SHA256=4A30C8052EC0CE1CA15D4327F7148D22D5FC62B4BD9E9B943B4B78407A863EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:16.540{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.831{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53688-false10.0.1.12-8000- 23542300x800000000000000038018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.937{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D950CBEB36728E04F5B7BB8E9B28B235,SHA256=54FE49583082F96C4D72B0FF762ABFB5469E85B8455988BBC6F222E45C2D8F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.765{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7C9A11E946204FF9F57612695DE3A7,SHA256=7788461604BD3AF751D9874AEE286A141FA46C037B42C22F7199393DE940320F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:17.630{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.849{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B16FAFB0F015AEDD738F015DBFD1A5F,SHA256=FF11FA7C8D65FD0E9F5E13CDE046F0BE22936627A44F1786C22DDC0E198A56E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:18.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.731{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:19.944{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1B610B3769ADE5DAF0739CFFBB0AFA,SHA256=2416C513D54E3A5A0DD813AE09B4E5B1854229061FA72443CA4A0536B06E1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:19.809{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5548150173B08F213ABC0AAEF5BCD,SHA256=153DC5E6D287E2E55552300D0B090ABD2661E0A01238FDC199BEBA5AADCE0364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.892{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:21.984{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.970{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53689-false10.0.1.12-8000- 23542300x800000000000000038021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:21.022{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A1EBE658C5573C0011C5C2C5AF07FE,SHA256=5C8FA5EB9454E75814CA2D570AC169A3235303CC93415DE00B373F52538C93FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:22.097{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C54C843DBCB6645790E88793FC976B,SHA256=FEB940C8BE2DAA33BA1F4799E86C3B5EC42CB7127D5B5F2E7EA8030E14577999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:23.177{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F999F60D9FBC7A776717EC803C6FB48D,SHA256=F62AFDF470F0B8D4639D8F53DDE7628123192ACBCCB613B5D8045E9639358382,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.836{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:23.071{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.793{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-055MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.264{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C89737ED47EC34DD49D1C8E559A045,SHA256=E7F60056532AEB4BC686FF3A953CBE9528FB3D1CD024C14D456713FA42A02FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:24.160{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.798{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.336{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB0F1B7AB3786287FFA9121FA27BB37,SHA256=6C6C11CA784FFF6E9E260848FD1D8C7DA5A9522C45331E2D4F637621A5A090F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.250{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7DEEB84617FEC82F950C12351D6AB9,SHA256=63C7E985097508F6D2CBF0FC09DAF937FBD0CFA8DA43409E46019C19C25A38ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:26.425{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DEBBC91BCA763AEF965A7257E8AE14,SHA256=E6E3704685AF196D16BB70191758BF7624605B36BFD0A76829E80CEF7AD39EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:26.337{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B5A4B161F96C329D79F55E34FF2BC4,SHA256=856699CB41CFDEAACB3F569A853AC5988A9A653DC04ADCEE2DEDAFB744090315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.523{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36993607D3F713D53B01C9B02AF36C5,SHA256=78876D0C7751AE36D31AE717675246E92F093B20A45E66E012E856E4BACC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:27.516{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34B4EA953EB98139BB6819BD0663A49,SHA256=91A0461F8E905047E720114B854D90FD9EB06F3609102EA4BAF3B5053180045D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.848{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53690-false10.0.1.12-8000- 23542300x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.311{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:28.831{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05D311497D11C1F3FFD01AFF624AD2C,SHA256=F21C0B961C6953FD9BE1787DCD8A47EEE8724F1934819557210EFFF3556AE207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:28.493{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE592E82697E8D9EF8611A2259A025A4,SHA256=F4C802397E100CBC47AD49B0D39C0ED2A0E32AD67A33B3B13DF70F4FE868DB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.000{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.913{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:29.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443D79DF536FEADFBA538A991C6A97,SHA256=AC76FC7DC7138E713DD3EEBA5D560AB4D8759B31EC61367ADEC4D9DDB672BBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.651{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.648{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.617{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.612{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.592{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.585{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.581{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.578{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1119ABAFAA87DE0351B638A860CA6E3,SHA256=0C622A28D5F97A271C5EE4C9AEB2E2F9CD5EFAA5DEBB520B04E55CA6C47DF67A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.573{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.566{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.556{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.550{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.541{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.533{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.474{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.471{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.628{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08625789869DF1F725DF77E5CDEFAE63,SHA256=845C705C64722641406408D6516E8CC6BA00A70CB4E13B1C9B125D8A5B53182C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.082{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.075{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.073{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.070{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.058{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.042{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.721{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005940CF9D7FD4C47337EAD1CC454C13,SHA256=CEA32CC5198E07B820ECBC0F1C23EEF44FF491F5AF77C7C27BFBB709F50E1856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.882{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.879{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.861{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.848{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.844{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.806{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.796{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.766{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.759{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.748{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.745{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.742{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.739{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.738{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.733{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.732{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.730{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.729{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.721{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.714{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.705{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.676{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.649{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.646{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.557{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.549{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.530{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.520{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.490{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.439{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.402{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.392{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.014{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A01EAA5C3CEDBC0903EBACC83E4045,SHA256=73726D99D5ADF63FEB65853A7790C7B0BAA86DF7A4A402C0ADE6DED7275A4CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.796{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D9DC46D5E09DE0DFFEE6E2A21B5F43,SHA256=F9C6CFF4F2FDA7B85BDAF7C738C9A370E65D77CF2284E21CE129BC95C35D3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:32.301{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70167EF8C0E6E94B47B6433BA346C9D,SHA256=1804F7C9AE0D77F6339006FCCAED3F6B7C332D90C222603DFA736ADF28E94A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.721{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.711{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.705{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.685{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.677{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.662{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.655{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.650{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.647{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.645{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.641{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.640{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.638{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.637{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.636{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.635{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.633{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 354300x800000000000000038064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.936{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53691-false10.0.1.12-8000- 10341000x800000000000000038063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.115{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.114{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:33.890{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3736D375656AE40AE985F878959ABCF7,SHA256=831A763F548D7847FD5F24657429D90CADB60C13D0027943B90F6613735A3C56,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.652{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.643{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:30.943{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.376{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7033534DF55AADCEFCA8DDBD2685C88,SHA256=D356F1958BAA2C4DF39702212CEBDFB9F07FB0598161C3ABFDA89A31189CE26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:34.968{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C9398F04E80383717E4BE68E8FCE22,SHA256=6255A7992ECD24D2D8FA863246B9FB28F7D52BB22BA2BA0EF058263658DC6369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:34.586{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFD0CDCD76C4EA2CDCD3F4EE5FC01C,SHA256=50F0633B3596A8BD5628D8A434AB4B353F6746F1397151D72170D119517D1672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:35.686{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A900FFF75141C53943E1605405DFA0,SHA256=7AFBC71F3E588EBC218E78ACC7E4FFF3716D926C4AD78F6D384E313238799072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.772{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:36.054{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FBF9A71C094B8DC39232A42A988A23,SHA256=72D919A21BEBEB3123D51E24F75A0F4C3F5AF42B64CB9F67FCC2AFB7562C7132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:37.871{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390570611BB626E99212E4AB6F5A545,SHA256=EB5FFA73600593F3CA0C0EDB4172289952CEC338BF707F1B88F8CB1A3BD74EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:35.847{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53692-false10.0.1.12-8000- 23542300x800000000000000038089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:37.150{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3174B7C332D31B6097C3C5F6C550E06E,SHA256=D676E3CFAF72785008EDA8888BDE8A9E46A3F4C9810FADC804FC9DACE17723D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:38.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62124A8A82D9DDEE9E87602AD69B4B5,SHA256=2B597183AEF571206B0DC52A1942F433FCB391CF006B9CA009D09312C3B45D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:38.229{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F718EC4E85A22D4C126E04E4EEC7F97,SHA256=7F88964417CF2E1C511EF5DAB36D30330ABC4A464E6D9D1579936E80A0DB191D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.858{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:39.316{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE9697B3B4080321D443DDE5B90F622,SHA256=93B60B2254BB08F34FFC8F20798ADB8B34990A8900B2A47F8A4543922FAE5EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:40.403{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C6F8FC64FB808D2FC17FC489A1059D,SHA256=5EFD6E481BBDC71E16738A202E2E9498DD61FB5C563D7AF7F6E68B693546C371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}5203608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.736{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.062{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31637210A1FF235D9B78D3A49A95A63F,SHA256=1B58E73C11E84F0C30039877AD21087E6B54CAD5BB5FA98CC0C494214E5D8077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.504{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B442229FEBE9CABFCBC4C501B23487,SHA256=365B4861A2CE6DBE814E4D4C106A77B1B5522357B4ADEA85D3E56743519FFD9E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.891{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.736{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BC9000A2C4D80A124283CE59F6789C86,SHA256=8312B03E71E50A8ED176AC9C694B0C7729273413EB8C19D28D6D6EE77461F8B5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316D71A11DD63DBEF874798790802302,SHA256=1B42F629FA7B61FE57FBF7BBC42B0E5CBB2158A45C0544EF5B3CEA3C42C24F24,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C1130532EED3D77D2CD7CC2B1BA39AC,SHA256=54BB5AC401863448373CA9CC23A3DBC052060FFF73D7F9D53FDC52BAD6E9582B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.235{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.608{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2314A40203E82E8A6C1437451AE7AABD,SHA256=3D38689840FA46D4CF24BDCBD8245B4CB6998CA430C33ACC19A2F35AE0636D71,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}13244628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01425AA7143C66AA0A64B8D378F868E,SHA256=5725676EC8BA42AA48619C3EBFC2F18875D25C74E4FEB98BAFF05DE2F0036A23,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.410{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.138{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48E524A2A4515C03754E07644CE453E8,SHA256=BCD35ED76E09560E087FD1E24D44CDF87B334F46A0E8DB466D0D039AD3ECD097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.000{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D5229B56261CA868DA41A2DC8E2380,SHA256=CEA8EBFA4A36E6FA97B591805F3628612246D41EE955F049426F04E8CF2137DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.816{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53693-false10.0.1.12-8000- 23542300x800000000000000038097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:43.709{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804B5270C40F9981ACE78763A14F959,SHA256=2CF87D342F074506130E34908D5A2E114BB009C503B6CA3F14738667578AE106,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.982{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.981{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.980{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.976{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.974{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.954{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.750{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C52FE1A69DCDB9445A9CA3AFFBB950,SHA256=3F58200733D4F4F8D805C5BBDBAC176160214170B1C664E950A16ED1B2D44050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:44.809{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CC99D5D33D0125F53F4C88FF7B66A5,SHA256=3C3C49DDF0E01D277908201B3EC4C96DDF4B91423160E17ED2815F305AAB01FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603519BB69EC00D9D74C6487FE355E8F,SHA256=B7D00DB9FB676C5D2E779548DECDBAE337552AD5F382F01CBDD8577CF88865D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.906{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}52485704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.944{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.619{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.190{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.189{3AAE424D-EA1B-630D-0604-000000007502}39563884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.181{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.179{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000038100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:45.896{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FA6089C88D75F535B9087B476A4026,SHA256=3D1D805D047B9027BEF83F4F924C5A40A4A07147083313149F9A16AD73488253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:46.998{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA275F2C57478DA3BA66D236BEB017C9,SHA256=69F58D67FEC7BC1D0886EFABE3170B8F5B60389936AE8C5576602BAFDA5F308C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.199{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.089{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BFEB48FE5584B70F4F4A86083B9848,SHA256=0A0E7530D1E6807794AF27F5BC03B57E62AA3B7BB74D54FFD3F39F1874FCB38F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.619{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.281{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D6F1057A553D1CA06470D231A84B2A,SHA256=DD0BC1968C2EAA4FBE7D643213BE70D6CE3C6FB25BC5CC39C0779D5E7B09E347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.281{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=029ACEEEB92E393FDEF9BD86BB5AED67,SHA256=3E3A80FAC2454411A66722D80791BB5781A70893A44FAC00863E2737B7BD2365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:48.394{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74627CE8C2B8D27589B0103E8532978,SHA256=67257E606341240C9AC33A361782E89BCA66554B63C7E8B2CCA150BD4A58625A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.966{BEA5AFC2-EA20-630D-0C07-000000007402}60206336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.811{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.732{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7B1BF3881CBF0BFA5BE0339EE7F56E,SHA256=725B8EE12C89E9C67A9A426147027120940EE497D67693F2A3DEB2BF7400DAB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000038114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70F244C5671F339DE19A5FC1B425F9DC,SHA256=FC0F9D65B0A539240A465E44CED13B805CF0AC4D0CC411DCF7AD133CD041CACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.294{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.278{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EE68254AF84EBE708DE83835002A57BC,SHA256=6600BBDCCCA958FC21000171DAF47C7B7A27A96093BFC76D928EFEFAA92F90F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.087{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CFB4F7BED85E346057BA6FD3C69FFE,SHA256=4827E19B354F8C83D41E5274D3E26B55A279FCCD39022EC44CF4ECFB9F2CC413,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.946{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:49.490{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8DC6D0305EFCA488539F5C69C7617F,SHA256=7926BABACECE64871C10C8B9D1D64B136B0B52E2B116517F123D8F5D94BDCAAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.942{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.938{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.937{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.935{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 354300x800000000000000038162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.817{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53694-false10.0.1.12-8000- 10341000x800000000000000038161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.930{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.918{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.915{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.614{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.609{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.606{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.605{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.603{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.598{BEA5AFC2-EA21-630D-0D07-000000007402}63846868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.579{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.574{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.562{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.556{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.552{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.542{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.536{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.526{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.520{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.513{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.506{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.474{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.472{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.432{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.177{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A2418D14A6EC5B8070D14352146D96,SHA256=FCD131A8CB3B0BC00898359EEC78653049E45C82EF7ADB77FA503F7422561B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:50.585{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F668117ED090AF4C9D850FE2843AE,SHA256=F921DE2C631FDAE65EEFBC5A34D2D0650C4AF7E8B66568D6AE1D8BD05B280DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.556{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.334{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5247E20E3F1782C9510D44030A0B4E79,SHA256=203BCBE284B6892F31C4A68456C77083410800224691161F8B9EB446995D0444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.760{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.754{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.736{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7B2E13538FD14D7AD140FAF1F2CFF7F8,SHA256=9AB35FDE7BE93AF9C33E89DC00EDBDA8F55F5D8BBADC541F51AF1E3A0DB89CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.725{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.710{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.708{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.670{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.660{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.655{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C1BE240A33D1F0A9E32399B2C4357,SHA256=7F0E7EBF9850B505F3106ABBB89AAFB54A1AAEFDA707298194AEEFBC5859A037,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.635{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.628{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.624{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.621{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.615{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.612{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.610{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.606{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.605{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.603{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.598{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.594{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000038195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.976{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.975{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.427{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2096EA0A51E401F37B3E9C843A5CAA4,SHA256=4F2DCC9195E2623A6CAA6FE879F6C2E101A4B002732BBF25894ED3D8B59FA656,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.365{BEA5AFC2-EA23-630D-0F07-000000007402}58246500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.585{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.578{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.538{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.536{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.525{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.484{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.474{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.459{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.448{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.432{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.425{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.418{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.409{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.395{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.379{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.376{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000038183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.226{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.224{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.224{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:52.744{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C950D1FBA4AE5E6057900E55CFA2AB8,SHA256=35359D6AC513B6C8424A19664AD95D86AFB77F5B3227B8E7E7E324C5B7C5A95A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.566{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.558{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.552{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.534{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.528{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.516{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.511{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.510{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.508{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.506{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.502{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.500{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.500{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.496{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.495{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.495{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.494{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.493{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.491{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.489{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 23542300x800000000000000038197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.394{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2278570CD210C20BC8E8439A6F5E607B,SHA256=CE1A3DEDE6AF717FC5629FBC896037945C70BABCD1214EAAC050A218B5BACAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.054{BEA5AFC2-EA23-630D-1007-000000007402}7085260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:53.840{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25288B8EE8BC208C90B146B13006169,SHA256=8B469A1E7E4854AD8803BF89ABDD9D0CDBEBF029FE69A1342932D5096B8B33C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:53.451{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A881BEC7E8ED6BBE871284296FE97,SHA256=5BF016EF93BD32248FF9418A794B8B7C2DA0C15A0927C21AF0B3D45931480318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:54.938{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBE3881BC543159615BD9246DC934F4,SHA256=B34A6169C8478B2D6B5F6AE509D2DFC6F680305500670ACF8887EFF40D0D5990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:54.552{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E697819F39A2478318295FF7F8839387,SHA256=B772CE49B7F4F60ED074B79CF3E80E4BD88B4A94E30ED8FE8791CBC7CF53D1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:55.646{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF4873518CB34D1014DAD2D44AEC69B,SHA256=9E0A79AE166D9362E0C66CFAFA7BC8B9A50C82E69C51245059D24405C2CA5D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.837{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53695-false10.0.1.12-8000- 23542300x800000000000000038222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:56.739{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42567FFDB36CFA064B48D0E83EC60C16,SHA256=01F92A60D760266C828BD96BF0D311373667E9927078C47D3B1286FA3E82B97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:56.053{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758EA505160E36249F83A63BA13A685E,SHA256=7AE8B6E3125BDFCD4D7AD0CD96CA5106413C7470B00CB234E883F6234D296452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:53.893{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:57.833{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796923A60CF850ACAB4A399460F5CC96,SHA256=6AA971A1987180E796A94FBEF8C439608F044E7863016FE938CC23BEC31DBAE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:57.133{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8725FF9D4C3802496A7370094614B1,SHA256=A0B5E1E75425E4DDA5E2EBE8C8D0DE1531B5BE236F2A5FCADCE730B4E1AB6884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:58.926{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47F40DF481C28D4EDD336B2A4368B06,SHA256=90867349E34B398D43B5B5177D6C40F810B48C4AE6603F2916ED64145F501F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:58.341{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:59.443{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:00.649{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:58.829{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53696-false10.0.1.12-8000- 23542300x800000000000000038225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:00.008{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC987FEAA107CC02C7851C08B1031A68,SHA256=87797F8C91D83C5E0499A387FE4C62BD27E5E54543C5D4487FCA8DCC4F77DE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:01.730{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3E7016557447A0F36CFE54FA4DB020,SHA256=EC3AF8D51B1424BBACF3AC0BC41324CB6B2C8A7A48A991664477DEE8F2E6DA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:01.097{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C846AE454C73B3CA7C591F2B4F3E49F2,SHA256=FCD11468DDE3D7C9859C7D7DB11EA9BFABFBC9D17E961BDD453D482F289EDE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:02.914{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FA8344C07728A4169114A685951FC1,SHA256=4C2DEDADB2FCA55747E8A4E77A1647FC65D645B30069B3FDAA0FC84830885B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:02.206{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A358F229E39A88B8D1E6C7824DB776B,SHA256=72FE458D021425C68AF097CBC3FC658EE6CC062FA1428D88D2B268EEED717425,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:59.889{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:03.294{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6E9FA15FEE8FBB2B17F62E64A0B63,SHA256=5D27756D7C46C112FED8FBED0698301ABCE9FACE0DDBC66D18C393C143FCB365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:04.382{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0EC69DDF9B92E51CAAC025F3883600,SHA256=B1D5133AEB38AD9DE32463066E298F38E5B80BC3DD494F062132090320B67D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.104{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.045{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-046MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:05.469{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFF8D2DB7283E1D5547BCD8A8BDBDDB,SHA256=EAA2AF8B0EE2E9F705CA740E7F1A9C713779800B050FE18DE7771037DF4C51B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:05.316{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:05.050{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:06.576{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8BE9CE21F1EAF2A46AA2E16F0911F1,SHA256=67CABE276269E10D32F1A57AD7AD04713EAAB8D5346171A270CB832B78831BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:06.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550BCE61D8E284E023D72D15203CF6B,SHA256=B515921551502D6FC9D5372118649B1FDBC0472DC8C08F9CA80CC847107A9EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:04.003{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53697-false10.0.1.12-8000- 23542300x800000000000000038234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:07.663{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19ACE86DCD63AC08E1103CA59B41D03,SHA256=FE5900DB2D8655E4FF1A4D77AF6745666790E821A2DBB1980EB83A5960973892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:07.506{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E450FB13768534CF8F053076A895B01,SHA256=ACE9A365B98E49CA27C6900AA3D94BC6741D633AFB75FFFEA3536F13C74593A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.931{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:08.710{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DEBE64AD80B4F86F2C601BC23C2AA0,SHA256=7A8A7CA8F1D600D97581AC25F942AADE802C56EE3952DE39FB6317CA31869EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:08.756{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B1804C48B67F3B32BD7FDF0557C62F,SHA256=687B5ACD4D55959C3B15438BB10F01181A68AA511DA4B4D8A93B7DFDA9AFEA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.825{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770CE30E502E3117E2D7EC90C9EAE57A,SHA256=B989CE901EA0E9B2799C8152874100CCDDE2DC16009E449ECA8B228A1446D155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:09.802{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.629{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.623{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.618{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.616{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.591{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.585{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.572{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.561{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.552{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.543{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.533{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.518{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.511{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.472{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.469{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000038236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.443{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:10.897{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823EB6B8858B8FB894DDFA1F92A974A1,SHA256=CC01FB3A5663733F2AB44CD22EEBD50E5C9226182B62F41CF5FA4141D59E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000038273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035a045) 13241300x800000000000000038272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x321dc85a) 13241300x800000000000000038271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0x93e2305a) 13241300x800000000000000038270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc65-0xf5a6985a) 13241300x800000000000000038269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000038268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035a045) 13241300x800000000000000038267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x321dc85a) 13241300x800000000000000038266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0x93e2305a) 13241300x800000000000000038265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc65-0xf5a6985a) 23542300x800000000000000038264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.899{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F1E7464E2F1B9DAD0B2801B3A0FA03,SHA256=248B374E45CF4C05722387B584FAC3B5EBF02C944E08973AB6676D556854C757,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.017{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53698-false10.0.1.12-8000- 10341000x800000000000000038262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.047{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.042{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.041{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.038{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.032{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.013{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.010{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000038276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:11.980{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B61D8C81A8C9F7EE80F0B08DCA7B0B,SHA256=F9E3D13EA725B4B59FC67753A2C2075F84CF5F32016D65865CCF5424DFEF4448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.775{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17742A3B43B3631364D07A6F57269B1D,SHA256=FB595FE15E26BA8A2AFE408D612BB521785F8B16580AC19D9C341D7589DD4DA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.735{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.734{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.734{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.732{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.715{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.697{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.695{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.661{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.647{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.622{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.615{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.613{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.609{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.607{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.603{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.601{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.592{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.588{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.581{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.577{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.557{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.551{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.539{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.522{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.519{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.510{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.477{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.469{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.453{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.439{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.430{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.421{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.413{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.400{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.393{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.390{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 354300x800000000000000038275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.205{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53699-false10.0.1.12-8089- 23542300x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:12.531{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60AF2D9B6B09D524D9DD632EDF8D54A,SHA256=760DDFF0551D9833A68DEBCB6176E52B4BB2C2FFF4F287FC2789A19FD3BA30D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.700{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.682{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.657{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.651{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.641{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.636{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.634{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.632{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.629{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.622{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.619{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.618{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.614{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.613{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.612{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.611{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.610{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.609{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.607{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.092{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.091{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:13.710{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367454C3886604F435E9F748B5FDEEA3,SHA256=7E770D8AAC50B18F5103843497378B2F481BEB1723EF939E5D052A4CDA4A5D03,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:13.710{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:13.710{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 10341000x800000000000000038313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.896{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.896{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.892{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.892{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.449{BEA5AFC2-DC7F-630D-0B00-000000007402}640844C:\Windows\system32\lsass.exe{BEA5AFC2-DC7D-630D-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000038301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.323{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.323{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.057{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E497185766B88224D0A5B28E2480A3,SHA256=9E29B7F8A9C5EB647E97423D185A35D1F3E9C41B5271A9AD4F7F0975F6038CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:10.837{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.230{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53703-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.230{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53703-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.195{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53702-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.195{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53702-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE2C31EEAD6179AFE0A685FC0EFF435A,SHA256=F2A5FEDA11BA239CA70F65157B01D69169FFD69E50339A8B02AB885403A194DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=366CED5FE2B8CC7693922FB1E3720468,SHA256=28C57B5DA7FB0491CA12FE5581A948A56A40E088B257E35E535A8C6922B9120C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.113{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53701-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.113{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53701-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.104{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53700-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.104{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53700-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.153{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11558C41CE9E832640BFAA42D67E94A,SHA256=BC6E93ECD2CF7672581503CA16D8F84C2833DC3467FD3746F5AA468398B2C7BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:14.411{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.353{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.350{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.350{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.349{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.349{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.345{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.345{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.022{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284EAC27FDCA64DF8DCB811332C766F4,SHA256=CBF547BBA41926D869220475D2A2EF40F46571498B09FF8A0DEC86ACD04D09DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:15.243{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3258BC4E81DC286CD3532B7FE3A5C62D,SHA256=2B162E2B5E897A9097B6F74169259CFF11847671401D236397AA95BF87208DBE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.565{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-DEE3-630D-1400-000000007502}8642264C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.519{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.366{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.355{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.355{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 734700x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.349{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 734700x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.344{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=F16F9896C90C06D66C3538AD9DA011F7,SHA256=EF2A5483794B7E4D836393CF2F4C3A065719855C16933D25C219E620BB692A8A,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 13241300x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 23542300x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.105{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AE4241D4976E80891994EFC25B6F7C,SHA256=991B712CF9F0883D0F3C443DD891A8717B075B07E601D73EFE886C653762429E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.942{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53704-false10.0.1.12-8000- 23542300x800000000000000038326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:16.325{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5F939FFC151B1A155591477296C237,SHA256=8D95C7E366D0CC870B00EA1C13E3CC15D0973AAC00BA38ABD76B21128E49D8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.529{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E00988449A6EA6F51BF772C2EB03214,SHA256=219257D7CA9286216E0B103187348047D2BDF2B75C4BE1A6057D6368FF27B037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.498{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE6AB740DCFEB2074F023E53393268,SHA256=E50BD3778F37B3642DF4F4BCEA9AB34EC1521BC944459EB92354FFAACD2326DC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:17.435{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:17.435{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.382{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.380{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000038329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:17.489{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EC78D4486F5ACFD25877F126C1E62A4A,SHA256=20A1CD0F35097D19C920170000B88B73D3D3629FFC78E6027FB8671114E73BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:17.411{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978B69E1DE864FBDF11ABB7565B574B8,SHA256=AF5282EE06329B682547AB166DACE9C0488E7C3B45FDDB1AB9CC33F6DAFBD1DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.495{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.495{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.432{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 23542300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:18.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF409C6CCC5D9B45B6084F78C4EF13,SHA256=367471DF881E800C279B8C01FF9ADB9708162632B7026B2E8A0D568A7B247DEA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 23542300x800000000000000038330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:18.510{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6590A12EDEC1580699638810C0A8A2,SHA256=ED74A3B0925F61308ED1EE72FEC6581AA3CEEC4751E4944DF7FE7F14A76E931C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.787{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.787{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.736{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.736{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 354300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.759{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListExBinary Data 13241300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:19.515{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7AD7E95A3019F379D8E3E3ABDD995A,SHA256=1EA98D1FAC606BB96E732CCAAE962A3AC4DF2FCB02AA9AAB6251AC25229F17FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:19.595{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91FF3F3715FC40F7EA93E5331D7D802,SHA256=92BF3D039BECA61F2DB9325AA7BD90E5D9C632BE95C8BAF89A7189ECCF48E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:20.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:20.692{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430255ACBA694A2EA8FCD1554CDDE784,SHA256=60234C4A90A30D695008EE5EAC1EF67DEE32356CE4C3377F9F6106CC4091EF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:21.793{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7C7A2C49A520C698DC16B237719C75,SHA256=B8333CF6C428199BB072E8DE6E94844134FEDAF482947ACDADFEF44C896921D7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:21.894{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 23542300x800000000000000038334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:22.874{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C74D841657058838210825A688A6343,SHA256=3C6B6500FF29D41058BF52B9DE6F86972BCC52FF067E7376F3398FA8F924F977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:22.034{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3790854177F7400DA3ED8E346C1E3D34,SHA256=0043B9288745CE1E637A517466D569D706430DC0B9248F6A9723B7AA646D71FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:23.968{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847AD9861F26A0ADABF9DFD698D80822,SHA256=C0CC59FF5A416CF6F5197556009C4165E4D734154E230C73CCFDABB2D1C44A55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:21.900{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2\VirtualDesktopBinary Data 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:23.132{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A83FE6D3D804B613FBB485210CCD1C,SHA256=22A96FECF5F2F59B809123F04D871AB370DD2EB63BE414F9095E6991EB35F246,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.116{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 354300x800000000000000038335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:20.865{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53705-false10.0.1.12-8000- 23542300x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:24.228{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AA63BF4E46868E688DD1CEB988BCB2,SHA256=DA82764BD70EABE7D0E7ACCFF71AF5F93821BF6A4E41DBE61875334D0BBF6A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:25.329{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E808BBEF2874F9C7D117506A8404F090,SHA256=3C0CA7F46D9CBA6015874420BBC347B4BB54789ACCD45CEEA4EDA613B2EA088B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.265{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D1D5CFF809E9BDB70E17E5857AF8C2,SHA256=492BE1DE5A00166820FDFE74EC0A5E2467D43659338FCFA6A99EE422FF48CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.063{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4B13476F673F34B319E1254D27C62C,SHA256=BD420DF1F26FE7B06ABDB735F58E96843523F19A1634DD00C43188CC671F0133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:26.415{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1FCFCC4AB7719CCF47D3D3A8079CDC,SHA256=11F8DEAB71800C0B51A647E27910F4F84CE806C4033B773322B7E97A1FE5ACC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:26.321{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-056MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:26.163{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0D2D331C5FAF8909F48792D3254B12,SHA256=46A2917034066A0940B58E5A86005D9A5A23EBE9EDC3FB00508BD5FA11865F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.496{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48609ACFD132F35BAF06AE375EA89860,SHA256=9C43FAAB2F97E911B2FDBB4DCE0FEBC1DAB440A38FBFB774421BFA71798127DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:27.329{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:27.249{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2A2DC67B2A2BC53760248313F64591,SHA256=6849B16A166268DBC95E76587DF5621DB3E05F4A30ECD439230D7A17B0EE2031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.340{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.034{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:26.924{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:28.590{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7728D84FA52F3997BF42AECDF3A59F40,SHA256=B7F691903CCCE5B60360B2ACE223B2933857A724F61CCABD9811C6838A4A050C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.939{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53706-false10.0.1.12-8000- 23542300x800000000000000038343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:28.342{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2EAD4FB6631CE0DC3B78FB81A77639,SHA256=369153E01AAA451AFF9378AF9DA0E4B8B6E72F5FA516DB0CB15234AE44615F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:29.689{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468418A8A550D61B5D76E15F1709F5CC,SHA256=A8056199508F755F19D2852957BC07F3FE7A3E6C26F7DFEFE2917D8B95DAE89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.629{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.622{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.619{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.617{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.589{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.584{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.572{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.561{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.557{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.548{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.541{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.532{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.525{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.517{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.508{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.470{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.469{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.421{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EA6C45EDF254966EC58152615D8F4,SHA256=B66190E7E746339BBB1D8AE1C3A05EC9E26D6FBA36C4F4E02C88AEC8BF5435E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:30.781{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A8D09A88085A67FCADD376935BE742,SHA256=E965927D2376D12A677C875F58EAAFB7034D12ADE0B2331DC4A671DC1AAB46CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.456{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290598F662D918D829C13F01E0841FA7,SHA256=5CC630B2BA0D3E376C6582DB3B25CF8D06EC23E4861240F1448B56A11C2E70D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.359{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2\VirtualDesktopBinary Data 13241300x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2 13241300x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000038370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.034{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.032{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.030{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.024{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.010{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.006{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51505960E139CF31A771388EEFAB62C,SHA256=64486A653CA739D52A4C57EF9B0BF1F3CB1C9FB7EFF9E03AABF61AE435E0A9C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.758{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.757{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.757{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.754{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.739{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.724{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.719{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.681{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.672{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.650{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.644{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.642{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.639{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.634{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.629{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.627{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.626{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.623{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.615{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.613{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.611{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.607{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.602{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.599{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.594{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.587{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.569{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.567{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.557{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.529{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.523{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.516{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.502{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.490{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.484{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.476{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.458{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.441{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.416{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.409{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000038398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.689{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.680{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.638{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D67B048913FB41AA42ACC20F1CF0E6,SHA256=C29EB2E3544F33E33EE24EC519D0300DD599C35427FBF7B6833525E38D240387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.625{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.619{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.617{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.612{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.609{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.606{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.605{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.601{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.600{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.598{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.597{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.596{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.595{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.593{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:32.182{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F831632F55A6D24C2137DE22716A8525,SHA256=382FAFB39278AAC934DDA6E3FD5A4A2A59527DBF00AE9B8FD1287854AD4254A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.086{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.085{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:33.610{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDADB8AE088017BA02EB740E818FA09E,SHA256=3CFCDB91B243D4964403A8F82D8D9D9919EB20F36CB72C54532FE85D552CDA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.642{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.635{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1754BB7F8C69AEC3954E257A8DE927D4,SHA256=87104430E69445B126D2ACC99B6CDC4E4B85254D4F12F6441C809D469644B46B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.954{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53707-false10.0.1.12-8000- 23542300x800000000000000038401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:34.704{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFDDCC52160DBB5C0D8EFD75110AC30,SHA256=8204D336AF4FFFE7042B79D1A7F28B87838F581AF5DAEAD287096B8900EC7D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:32.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:34.359{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAEA56F5745CBD2CA014172896BB127,SHA256=44526824D0F99D303BF50B86C02CBB7C92EE38B028B0C39D361C403827023DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:35.803{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6351D74333862DE4192E8DC1DDE933E,SHA256=4F535C3367146D05C5F548B4BF9F7D9A64614344988A97EFA992DA376642AB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:35.446{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851AC84139F9ECF2FC8263FDDA31036F,SHA256=95EBA1B3AB581C7A8FDFE71BC37238A9E0827AFEBD29E838E7DE5AB7EF1A9915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:36.903{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6379B9A41B13C9EEB0F6F5814FC54F,SHA256=AA667AA80EEA82331C82AF6FFA42D21A49345AD5D1EB767AE37F09D412DAE819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:36.536{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC27792045BA9F27DBA1E4771D4BA45,SHA256=94AF9496FFECF2254E61F027F6EA6B206B61986C01A75E8EC912D8A938ED9561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:37.995{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6482ECC54C65DF1A8409FF41DB4253A,SHA256=6CAFCE1721D970780FF9AE0AD74E7EAA55174E8F4F0B1E52A3B956BFB0B4EEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:37.627{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B10D868144ACE223AC55D41E6ABAB,SHA256=A65AF51A518B0E9BEAB858EFCE577D85C62042DAAA1368D4B6C34455F028989E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:38.724{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25495ECB21599313BC9FA4AD0F6CECB,SHA256=39558ADEEE916D6720D3043831143C5843CDBFFF943A49762F7D9C851E62B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:39.820{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B03B60BE6783AEF0542391A5DE7F847,SHA256=473F651A4078CA1A892D09649990458B28AB347CAED793FB3DA188070F809520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:36.978{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53708-false10.0.1.12-8000- 23542300x800000000000000038405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:39.084{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB84423C84BD341A93C9FB7D2E089ECC,SHA256=DBA41B471061AB2110F592ECC5F6677850FC6E8CBEC2AF2A7C16780E2E8A84D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:37.917{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:40.179{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB4A57B446A5CC8C8F03FBF206B5E8E,SHA256=4C9ECF2B25244360A59BDE8148338E9277D86E2A67D93AA9A8CEA580C6687E91,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.734{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:41.274{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4CBCB95EC7D1F71365913EC73CD0DF,SHA256=70C655F17E1259A175B8829658522E3D4F5440A72AE1C99478F95BABB9F0BF64,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.975{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.834{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5794D228E53C00D726C4F294D8234EFB,SHA256=D8B0789E263E2847A08BE0819983EFE87DF7080BB3E7CB7081F213B7AFAB3B0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}55524872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.509{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=745ED6F08C86576E512E8C1F843FDBAD,SHA256=8C2C4A8F1B2FD41C346862CC7682D88E7B075C19E8738C7472C76E4B0B41DEB6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.407{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.203{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894E13456289D9AFFFC49D50DCB4A934,SHA256=3E22E3C57925CD8912BFDB23BA5F9CDE5C816B9EC33C8A4B1BA3B239D377FAA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.363{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4CBAF9D08F2AA829DD81089FD48A77,SHA256=430AED55F9295E416A7D2B9A2236FF5E14E1DECA9EE312EED04766F4C5AA0DCC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}57124308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.625{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.624{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.624{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.502{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.497{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.497{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.496{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.496{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.476{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.257{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5C8AEFDB2DEA8E1A55605AEC4E20C5,SHA256=431BFD1A393B4EBD56331CDD8E95AFF19F43F88E7C63630782CFE03DD1337E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.241{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F34A44EC94CEA640BA0385482D79CAC,SHA256=6D608B1B634F7183D2B989735E2695897341A526734A3A5674FCD9B20735638C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.144{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1215549192962EED7E64FB1DF85FFA85,SHA256=42548A65750AFACE78AB84E0E976BE7E2028100C7E9EF408FAE663EF84C4C7F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.193{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B0381A717928D67D39739872D497C32C,SHA256=7B0083F31643DE59D357BB48B938887F938A431477ECFDCD9F3DC5DE15F0029E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x800000000000000038411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:43.451{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D16611057AB54DDE1DD71A5BA89F5B0,SHA256=C49B63E1425C0FE56F048412E62F1C535B2A941C05E44C1E445ADFE8A67CB8F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.961{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.371{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C2353A3C3BCF61BDB8C19AED31393E,SHA256=FDF503E2520862C83FFED8FE4A567C749243DA81B7C939EBF67D0B5EFDF45E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:44.550{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F358B5B0468F760745E0F21852696801,SHA256=CD0F2A0D6C321DC38921F8DB5490CE27B91D63190A9E9A0E1450952A421D8BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.923{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}59084320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 10341000x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.492{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA266BB3629727D09F312E8BBDFBA298,SHA256=A739055E780E27ED1091771A2A2FE49DF66DDE2894C6B4C42A052E8006089D0F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.174{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.174{3AAE424D-EA57-630D-0E04-000000007502}55764324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.158{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.158{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:45.593{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1BF78A3B0C4A9F82D06FDE2CC8C0F4,SHA256=E2B0E9F057610352E36C478234ADE03E2CECFABD0BB3939660D11F63A26B6AB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.867{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53709-false10.0.1.12-8000- 23542300x800000000000000038413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:45.639{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5328AB348B74D13FD18EB11A1E2733A1,SHA256=B6637CBC3168BCFD797770F611663E2A24F8DABB747E181CD283ADAF207E787B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:46.731{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49CBED08AF74D66829641323CCD4AC8,SHA256=B74AF7DF58F1EB422088D051D7784F5AFE40434A48BCC4D280B85AE1C66E6595,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.210{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.877{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7EBB9D8AD5E93AAAE5AE8E7634CBD897,SHA256=553BD1CE271712F93435FFAD7131E544B4B6F291F154BCB43C27CFA97E2F84BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.830{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EA82EDB2201D6A61623C510C369862DF,SHA256=2DD9593FD70171E6E19C7A8904F5D8E12E36E45E40DE9902135CFC9DB1A96F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.814{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C806AEEAC47F095D8BA02562A541CE5,SHA256=72B62F090073A8A5B1AB693E1C9FADAEC8A228784B4A8597A40816EF9FE575D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:47.261{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5255D00DB8897AB3ECDC75C5961E3CC,SHA256=7E99CCF4A34ED675F3B44C931AEEB55DC3042196F6658882B23315E7BC332BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:47.151{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB15F99F359AFDD5A211A14F1EABA450,SHA256=57ABD55533404B7F89CE6677BC04B236CD49E2F1FC6369A6D51410C124920910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.621{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.812{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1071B4C13E64682D21262669B84759,SHA256=D7B6E9E08AADEDF4B1D0C8AC41DC64346311A3D569FBEFE6D5FBF03C9A448C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:48.283{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA15B9A49272C03BC56A32C8A315B1,SHA256=2812B7148265EF57EBA39B8F3ED8516E415EBA62B59316B5D9F07BC00D05C900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.706{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=148562877F4251E82D3DBFA83D6902D4,SHA256=39A61417EF77F6E0C004DC79DDE60D48C46E4A290350F4CD2458B95AE408772B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.284{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:49.372{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB8D30BC61FCD11D2B4510AF6C201E7,SHA256=9B7737D83B2ACA53CBBF4A5EFC459A84081D0FBD7F11FAFD40A1E7E16FACE57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.803{BEA5AFC2-EA5D-630D-1407-000000007402}71207116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.624{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.623{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.617{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.614{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.606{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.582{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.577{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.561{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.555{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.550{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.541{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.533{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.524{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.516{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.508{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.501{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.466{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.463{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.093{BEA5AFC2-EA5C-630D-1307-000000007402}71327152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:50.475{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A73BC16C643F83B859B1031AD751FDB,SHA256=401127A2DA137AB2F41F3AC169EBA856E9091B6BE1F88E402A304FD847521949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.716{BEA5AFC2-EA5E-630D-1507-000000007402}64286404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.574{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.167{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99C4AAE9CEB7276908E67AA2384C65E,SHA256=821F5ECBB40F35746D2495BFBFAEAFEFD6304C3F4F128B7EE6A19334042B8041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.089{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.083{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.082{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.079{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.068{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.051{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.048{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.755{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9E3046E8C4F104C68DEADB34733E2D8,SHA256=BADB0836CE1AACA9FAE7B6D646E70A06E08B0B2F2E3F6797EEE5F6B93AC25567,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.711{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.710{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.709{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.707{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.690{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.671{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.668{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.620{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.612{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.590{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.584{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.582{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.579{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.575{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.573{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.568{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.567{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.566{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.563{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.560{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.558{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.556{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.550{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.545{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.543{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.536{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.521{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.519{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.510{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.480{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000038513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.906{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.905{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.905{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000038505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.870{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53710-false10.0.1.12-8000- 10341000x800000000000000038504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.234{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.171{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2E0F918F8751A0B2BBED984C253668,SHA256=565443203AF05ECA2C32B53AF2CE4D1868CAE9F32EAF747345B5CF96239CF210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.471{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.459{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.448{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.425{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.418{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.410{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.402{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.394{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.383{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.377{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 354300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:48.815{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:52.834{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FE806AC4473D153983B7CC377D790,SHA256=8FBABD9306C4FBC32763E26C09BA98132D2E122C46069F252DB2A2D6646A5B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.705{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.697{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.677{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.670{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.662{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.657{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.656{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.654{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.651{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.649{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.646{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.645{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.642{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.641{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.639{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.638{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.636{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000038517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.243{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D13E6E86C549C31735A32B9FC6B2646,SHA256=1DBC4EDA17CD33EAFE8505C20845FD6F2F58355468841EF027E0A12794F94753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.118{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.118{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.047{BEA5AFC2-EA5F-630D-1707-000000007402}64682724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:53.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE153569D559392794698D647C60A9F2,SHA256=A0BADE98CF5CA77B696799694CDBAA66DC4D0317111BE073ADA9B7EE416A0BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:53.322{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D423C53932C0A6F19CA467E217E15E67,SHA256=C806AD9F76BB6BBB8B1A06AB3CE7AA6DE70F1826BDEFE2B48DF5BB9926085ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:54.419{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08560ADF7E3C5DF944C9876ADFD707A5,SHA256=7246D2713AF5A38DAD9A00CEC5BA6ACC25016C9BF7D932E2FB38398EAE1CCC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:55.511{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F0862FDA1D096677F16FA953DB2476,SHA256=CA66372FE97FD8F6FB0FC6139513AA6231C2D20C8808AC9DD29665E090AA3745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:55.061{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19418C9180C4DCD394F29EDE956B7497,SHA256=C6B725B5393652F97575F9439BCD7D057E935395B3234E884314A023A7A18A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:56.604{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156BA6AE6729863004CA0590882EA3C9,SHA256=55BCD6CEA4830034267D70E353F035E2B300D207B1777B883CDA51EC41E1D61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:54.754{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:56.267{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67ACA450C1E595EA6B87C0D0C81F5F3,SHA256=B35792E4906CEBCD0AFED2652F32955FA54BC245F61CBBA1B60EEBAD97247F67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:54.866{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53711-false10.0.1.12-8000- 23542300x800000000000000038541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:57.690{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D405F9AAE4AFCCA1771E0D2F5FEDE4,SHA256=D5A2F70C5DBCD962AEFCB006D4F572CB95EDE1FC0DC7613AD33E9AAF73817557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:57.367{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C14CAC97AD4922C5E2CC7784A0C19E,SHA256=F02CBD9815FB11BF0C7727E82CE73C11C77C8095A02479EFD7B1A3B88EDF28A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:58.773{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95075D765C25CFA8127B652D285BA4D,SHA256=4D64D7938AB0B5919F93438CF5F8CA6697E378A7B75946578A727FA85149145D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:58.562{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EFD22BB0AAD06A45F28E7128A27C1B,SHA256=411E4353EC2F25934402FD62A20805804E0FF86569C0D8EA10C564829A1B0819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:59.656{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B37BEA0328342970D39F12CDB8AACD7,SHA256=E1D622B034A683A68FEDDD0C600D478C1C7B78200F9C36A86AD043D836117C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:59.869{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9998D68164E67B0693878C05D5141CD,SHA256=31240651596F096D1D6CB5EC32235F6510565BFD96F139F7B09192428DA2734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:00.956{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E94567FC735CA6D63366539EDA4EAB,SHA256=840E2CF38D7CA845813B0BCC2B79FB97283A3F9370D12C896A2B38A0C22625DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:00.735{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17681C95C2EABED42282EE69D983D792,SHA256=8E5D7BA3FF2696EA33033F8D178E2FB9AB2724354B985FF3BA85D75B54B46B94,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:00.328{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8bc5d-0xb17edda3) 23542300x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:01.824{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6E2C2EAC280C17C7C45983B70912A2,SHA256=E4823D9EFEDE2AE7B5E076D11753229CB590AEF1AAC48F47AAF864F3455619C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:02.929{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5395FAB53F9D7F212A2B425B6CC66B6,SHA256=6AD33EEBCD94CA4FA746222F661CEF6E26470093737A8907B31EBC2ED3381375,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:00.026{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53712-false10.0.1.12-8000- 23542300x800000000000000038546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:02.060{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D5C8139E952AA420F10DB12441632E,SHA256=625F8B073B6B32FE643BCB47494B95BAC8A9F38F4ABD89E7356D705E8A0F7A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:59.882{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:03.160{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5F028B58D61392429943F86CED5510,SHA256=448906D57F599164885F5B7C70E8B21D8BB6DAD73D2818727B99BE0EBCC70163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:04.254{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531F3E2A7A51E954150AC7E20B0E64FD,SHA256=BBFC2060E9E86DE63C4493D79B3D283FCC38392CA4F37BD22C69E0DA9BFB389E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:04.007{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FFAFE8981B953D3ACEB493A8B6478,SHA256=1B634409F334C2B98FC4CA7A0B25D165294EC3CF68431E2D8867B61EF5300F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:05.350{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEC03D7F74938C6CD2DC21487C5C832,SHA256=C6BDC59698703229492FF279DDF0A2F1C2C5F99C538ACD5E6153C4612C95B7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.571{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-047MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.102{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A7BEE557EA62CD25597CA44ECC127C,SHA256=83A8E747BB119413C61C659782413C4B6FC548DD9E17EE61D1E6F9810535AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:06.445{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D0CD0A0D1036DD85C06FD92EE07D1F,SHA256=25357C14D9AECB01C166346E8FE4084F94185E7FD6A681950D525E6A65920F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:06.584{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:06.193{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FD534234F0A2D18BD3DA8C1536483B,SHA256=8FAC0B8DF9B55DAD860A7F2BA31ACD18959996EE70F7EC06A44EB5B50B690CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:05.926{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53713-false10.0.1.12-8000- 23542300x800000000000000038552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:07.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F36E5E3A9D2D362FA966AEB89D053,SHA256=3F4A9AC0E5E4CF9CF4B85A7AA4E711E2B658107AC3652601B6F37E18071C53B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:07.291{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A753718080EF640292502101496AC4,SHA256=D3FD5476C4101B26793006B9C00A6BC844F93882597A948623EAA74759063F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:08.628{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC75EEFCB10293C8F83AB7C3859F97C5,SHA256=EA08CFB4AF98598574DE7E245379FE8CC8DE6A12244E4269D2C5F6968ADBC423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:08.486{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8752E452C58179AC6C1D5D0E5BE58A0,SHA256=CDACCA592005A0529B339FA1AADE65B91C91F225CA108DEE308633BB0D424C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.735{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.724{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.719{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.716{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.710{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.707{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41702C9A2918454E7FBD5CBEDC028C0E,SHA256=210D522DF9CFE1CF69DD43CF8F7C408281769D0419029FB22196E156C82D6267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.647{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.636{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:09.576{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2976CFF90B01F3E864A22B29410E954C,SHA256=FBA1B5D240655B81857B10FDA6D634557BBB04AE6FD7F7611BD37742F36AFF0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.610{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.604{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.593{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.585{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.573{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.562{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.550{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.542{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.476{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.474{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.469{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.750{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E999ACA020D666A83582935117524490,SHA256=6253C616B4A1DFD6A6295F17427839492C1F0DD8ED663B0999921358CD101B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:10.675{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00E0F15E69DC89C009DD606107A08BE,SHA256=387F6B2FA0F76C69AE4CA5BB12DE69A9E624BDF60067F86D97D8FE73A77E41D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.217{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.213{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.211{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.210{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.204{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.192{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.188{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:11.852{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0440BF078CE433C94E093D2E996F6D12,SHA256=7AA66D7E27BAAB06D77EF94922CD054E8DBAAC3C36A112BCA84A3C1164657C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.818{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.817{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.816{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.814{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.798{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA814DC1FC16D36500EC4497CC8B594,SHA256=C2F89CBFF17A9AC860FABF802A5ECE02013BF0E43D118F573F5CB6CDCA52D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.770{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.766{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.713{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.704{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.673{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.659{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.657{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.651{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.644{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.640{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.637{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.633{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.632{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.631{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.629{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.627{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.623{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.617{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.604{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.599{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.597{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.585{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.564{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.554{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.513{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.504{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.491{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.478{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.445{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.431{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.419{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.396{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.382{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EBE4C52D68FDF20401CA7E98B16FE1C8,SHA256=D96F05A46440D64337182AD20189FFA26299D2647D4EF871BABE0C64418315CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.944{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D198304E00986014CDF95A5BE9BC70,SHA256=F5C085667904BC4FEB6C8371CE3298DC3D308E6CA98FCEA46401A8A96EF08EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.938{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.938{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.937{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.937{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.934{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.934{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.933{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.933{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.922{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.904{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.855{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:12.827{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6C41CBE84FBED8E8FE8578CA9B0370,SHA256=EED12758F6F891F3FCB752936DF5EAC24120DC876DECA8744616FE08DB55A67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.840{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.814{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.806{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.803{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.800{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.792{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.788{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.781{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.779{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.772{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.770{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.768{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.767{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.766{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.765{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.762{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.247{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.246{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 354300x800000000000000038584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.222{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53714-false10.0.1.12-8089- 354300x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:10.851{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:13.923{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564974AC66ADDF325AF16D66FBA9B9AA,SHA256=863FCF8DD9CD1E2D575A19EAE2F183AB1FE876335E9D34549C8869EE60B1123B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:11.011{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53715-false10.0.1.12-8000- 10341000x800000000000000038641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.569{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.567{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.566{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.566{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000038634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.565{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8EFBB58269EEF7CAFFD3B364688DCA,SHA256=BE219BC0CE84AF60014D58FD992EE4AE1C8D24BAE2B2FBD2A5F06D02DF26B14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.015{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC58D7D0B38FDFEC435CB90D27BA55F3,SHA256=7A1FAA7952F8B32F5343B58B4E66A1B4ED97294FCFDB6E074C6C62332DBA87BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:14.455{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9ACA2573B947138DAF7310C68C64F409,SHA256=FC7EAFD960ED2E8C375A9E58ABA81A9200C8D76CCCF219D0A2395B8D7ECF9704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:15.210{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBFE4E8E1098311622F40C30A778137,SHA256=7BCEE89DAA1D101A1584C4AA21F3956867DFD0679562A64F7C0B2F78FD0CCF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.025{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE1172501CE8A888AC90C05CAA066B3,SHA256=C33DDA72A223850969F71BF28A46408199C5B7FE80CBF5A76A126CCDCE906D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:16.316{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF88B2F20EA11F7C8B4F0D5B889D2B3D,SHA256=6B7ED8FA4D97EC783451A6DDDE8E93F4D2F6029CC355D2FEB0E7CCD2968FEF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:13.225{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53716-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:13.225{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53716-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:16.306{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD9CF276461BA406C60500A3F5EAF1A,SHA256=DB11851FA8E02138EC5337E99EF1F9BF39B74C1DB1F8C38F3CA5C5B2ABAA7BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:17.388{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2B34018AE99C270A1DB55A8CDABFDC,SHA256=FE6E2F88A6CB32E73D07128DD622BFD6D4187478F133CFFE2AA8F061B37A9E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:17.441{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C61ADDB35C349247D27D350390BB94E,SHA256=779A5F8F7A3D7C32A98359F457BB1AFE4EE647E4258CC79406E1B57C7EDB0D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:18.488{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E8DA984BBB7EBB1A372BA21A96D548,SHA256=8D636F7330341359EE51AD12B0A6BFF15D78CE1E60F0236AD53A8EEC4920744E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.898{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:18.532{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7CB83B56EB286D633D8D241A0A1D17,SHA256=D43943B28882AB10BD494DCFC7520504A8AF78AFBDEFB6EA1ACCFA3EBC8AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:18.035{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1934EADC9A94B979D21D136FD8785E91,SHA256=C74E74AF7031A1B02C10426E31835E0BE7010524059D4EDB33BC05F469D778E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:19.575{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFC4D4B0402050C8A3058B2AAC19494,SHA256=AAC1C68FF7792892FB6C8D93A55904E00427708A9E7748DDC6BD3306523F02B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:19.624{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4E50C33028DFE71F2C47776BC8D45,SHA256=C65760F79CFFD0D629ABA628A793AED78FE152164298B4AF39EFEBB8F6CD27FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:16.883{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53717-false10.0.1.12-8000- 23542300x800000000000000038651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:20.663{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70331044DB830D462A4654D51EA1A4CD,SHA256=567C14D6475857275CBC290A09A04CF8767985AB5C74E62D50EF587582179A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:20.717{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8494793325DD6DFC9F34829E8346743,SHA256=7BF561F7B30120A4AE9D09C321AD62D553318856A937F87C273658B12C56DFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:21.810{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6234A634D5FA125186B8335B4411B690,SHA256=DBC020DB973D6C61C08F5D6C2471938121C0AD5F55980AE41E23EC9DAE3030C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:21.749{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7ED54D944ACDF938D3B619C24474EC,SHA256=C921EE858A699F17CC3804FE29B7F2066E3EE28685463C4615FAEC80DD87C37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:22.898{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18BE72DFCE8DDB8DEFE17D728100CB,SHA256=D852A135B1D0292CA1F57797BA87CAD5A00FEC08E2EA23FDC3E5DEDF78AAD42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:22.840{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DE4099CF768B88629A4B6E844556E8,SHA256=F5E1200F7C738CC4FE8F5E0D9EC02B805F6CB140D0485527C41788E339D006A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:23.993{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913897D098005C9B55DA4958F30BFBFA,SHA256=667BBE6A6D378478BDC530109CD9FB89E654317A617A840E79F8F0E5391CCE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:23.942{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0B929F58196EEDF895C4B2A6168282,SHA256=2AF55E7A871777C76611BB25C59613EE9748EF626CFC08FA8A9F9CEF67FC2E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:21.784{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:22.005{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53718-false10.0.1.12-8000- 23542300x800000000000000038656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.028{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BC790542AE13019231D55FF9FABCFA,SHA256=255EBE12D813F045BC4593A63AA0C80AC4C607A8E8D8A4C89B1C50ECE3DF6261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:25.094{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E081AF24CDC147AD947956A002F4A2C3,SHA256=DC8185570DF35C5B85FEB2C9F5F2BD761F8CC7B27E6F4B5E71BBACB256E7506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:26.384{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20E1A0E456BF627FD525365FF7DED22,SHA256=61756E03B743F26ECBEB0C8693DEED4EBCAFEE03B86E7E917AE98653A63E5164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:26.122{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888608C111A58A8F63FD594D310B1277,SHA256=11C02778DE1904E0D8E533E8365C9B3C3ADDF03DB166FDD68B7D0A8FC38BFC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.593{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845906D656FA3B026EADD7B4812DC5CD,SHA256=AF6A80914BA5EF6024184383AB8445829974B3CBED803A3098E7DBF4386A9D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.857{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-057MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.525{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local54970- 354300x800000000000000038659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.524{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local62674- 23542300x800000000000000038658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.224{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27B0F07D12EA76D7CCB2EDBE4677A79,SHA256=B690090C6729391DD30248D65B98515797B44917B045BBAE44BBF14484EFFA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.358{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:28.858{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:28.325{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74AADCC684A0F9A5ADD60F8A4E94282,SHA256=584650AB965DC22CD879DF4307DD05C4201E47EBA2731C24AC37F14DB2368013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:28.696{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E64AC45DF4A8238AC2257A8E19183B5,SHA256=A4EAF521EF02C3166F62FF63AEAA3FF8EB720E2972A778D7DDBE0DD65C585726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:29.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC1FDBB840F359B0DB5D1413B39BB6,SHA256=8EAFF0784F5E3DC814D2938943C00FFD982BB1E8DD9BFC54474B6E34EE2FBB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.665{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.658{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.655{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.654{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.652{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.630{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.625{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.610{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.602{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.598{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.590{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.584{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.574{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.567{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.559{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.552{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.477{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.477{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.397{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF49E08CC239910B8417FB4E5CE1776,SHA256=B656995F86C86D4015C45D302B519B0A89D2C6763DFE8F60E2D038B2BFDA46C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.896{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53719-false10.0.1.12-8000- 354300x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.052{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:30.860{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A567CB6DBDFC88BE2D62309AE7F5065,SHA256=BC5C62C4CB8F3246795D9455688831872C8A8B2C0E20666F90E1E104F21CA23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.454{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29A5FFA27558AF11029D6373F96726,SHA256=6B96068FFEAAAD5CB5369B2B60FD4449BA370659DCF6A3F3DBE88BCE7733CEEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000038690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.056{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.051{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.049{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.047{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.041{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.026{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.023{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.551{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80532A50697AB374D547E5DB54E258D6,SHA256=215962DF31EE03DC1237B95C57BF5C319C55F112C0F1D4A8AEFBA06ABF726B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.697{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.697{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.696{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.675{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.664{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.631{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.621{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.615{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.613{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.611{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.607{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.603{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.600{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.589{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.588{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.586{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.585{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.583{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.580{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.576{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.570{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.567{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.556{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.549{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.530{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.514{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.507{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.468{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.454{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.446{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.429{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.424{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.414{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.404{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.398{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.382{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.381{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000038718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.670{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.662{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.641{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.631{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.624{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.622{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18354C4861051BEC13652DE65D0C6A3,SHA256=5B60A6CC45188B10AA37666345DF2E345483765C2CA05E1F123D06ECCBE034BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.620{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.618{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.616{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.614{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.611{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.609{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.608{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.604{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.604{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.603{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.602{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.601{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.600{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.598{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:32.061{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756AA6BC1A5D33C365E9BC7241E24A3,SHA256=86A6C2D0F52E14AACDAB5ED52A6648CD49950F0A3604DDDD495F1459F616EA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.088{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.087{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:33.702{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3E452CDC3E71E143277348980E588,SHA256=86261380154EA4E9E59F2E1E84DC0D52D996B52A3AE6A1B62BEF77DC77A8D956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.641{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.641{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.640{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.634{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.118{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D7CED8587E9BA946272F1EFFF6F440,SHA256=85572308E9AF4B859B4F29B73955DAEB477BD3B7546839A4851628F8E44F12C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:34.803{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FFB64581560AB7A0F3ACCC2AA2A97D,SHA256=E3AA8587F56BE7316A1719778AF2A258419E415F6591743C94964558EA0F003B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:34.197{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7B422B8663AE7C553F5B9809CC26A,SHA256=86FBB34C5E35396FE30E3700AFCC9664FC8E4D7C90909F7C7585F4DC2FA80FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:35.903{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA2E141B1990F967C7FD37FEBA7202E,SHA256=8EF09D2F8E3B828CAC2D7119BDCDE1E563A903C3F3662D25548DC17EC8B19EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:35.280{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A159016F0D8B65350EAE1DBF7A01E956,SHA256=74E59F8A94C1C45319CAE407E0577CDFE18211BD9ADDACA64EA20EA10343E4E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:33.023{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53720-false10.0.1.12-8000- 23542300x800000000000000038724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.984{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC6C003B520B7338B7B7C0C47213B48,SHA256=D5A612E7B9BAF754BA34E6EB490273041D1CB0236F85364AE95716605717CA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:36.362{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9E4D33EFA5B4988E495FAF661DCFFC,SHA256=CA462A8EB9711E2264D8A8D1EBA4B5BD908A870A2AA450E139C1040519266A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:35.052{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse94.102.61.25-34248-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local5986- 354300x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.750{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:37.448{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FBF25A76EF7C9846BD1401FE78733,SHA256=920AF9FD15ABF94B69995556DDEC05BEBD8FC75F035E9EBCA1E5DA59E460483C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:34.821{3AAE424D-DEE0-630D-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse94.102.61.25-51776-false10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal5986- 23542300x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:38.671{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A582676A3170626EDA3E19683A14A346,SHA256=7FDE09365181C231264D243F80CE79A50D89A6463DE191B509DFBADF07D5D0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.947{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal64986- 354300x800000000000000038726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.320{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local50090- 23542300x800000000000000038725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.077{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5717C5B6F6B088D8CC27602A779A40B,SHA256=2D2C90EB0FE3300291C7B1B33B9924EAB7164D74F98A65CE039BAD202C2E5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:39.766{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F2C2864AA76AE6BC2D4E6EF2637E7,SHA256=F6B4E0131B598EC695C70D2961BE7DD553DFDDD5B730056C12500354C1F6D001,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.071{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-50090-false127.0.0.1-53domain 354300x800000000000000038730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:37.320{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50090- 354300x800000000000000038729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:37.320{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:7800:200:98f0:a3f5:cc7:ffff-50090-true7f00:1:0:0:0:0:0:0-53domain 23542300x800000000000000038728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:39.164{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A7CA66C7ADF5D09FD5726FCC1FBD8,SHA256=6A5F9F191C3FE52259D709D131C416A1463A86A5D18400EDAEBC3603A2E9F1DD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.982{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE459E250CFE23836E15ED5D3343083,SHA256=95F6470D316CD74C9BDE39AE0B3ED3B374A44095C63CC873DED9138F18E465FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.924{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53721-false10.0.1.12-8000- 23542300x800000000000000038732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:40.259{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82589C06963FFFB4FEBA483E17B9B54,SHA256=7633BA5A28B7EEA7A70E267E63F6578556F8DCF218292B564B167B72A7086DEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000038736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.825{BEA5AFC2-DC81-630D-1600-000000007402}12961264C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.825{BEA5AFC2-DC81-630D-1600-000000007402}12961264C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.353{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883430D425A32A0986BEA1F8608EA0F9,SHA256=38A9C2B5375FD70A9963B35AE0FBEC87C832298984620FCB1F5357D2E7626C16,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.941{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F22CE9D266540F7102CEB3BE11E7833,SHA256=8659582E50EBA2FFA353CF89C626CAE1CD027F821FD3432E025A63941696EBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E768B83129B389BA42620E07E4432342,SHA256=00B2CECA7DABCD376FBE51011C78228D2E8536231959D409CDF086459C1B473F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.578{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=44C8314D725D3062E63D2E4477E9472C,SHA256=2364F601F4EF7B61D1553735AB5CEA2930821E4275C93825CCC5C9E6A8042B16,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.468{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.452{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.452{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.294{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.294{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.293{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.291{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.289{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.288{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.288{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.287{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.265{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:38.896{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000038760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.466{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.465{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.465{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000038750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.458{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE70C0A8FFB9228740CAC12604F9E529,SHA256=BF4FA28329A0E2BBE0C3E0350F94B349CF245F7671CF6934DC686E240D932DB2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.639{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.637{3AAE424D-EA92-630D-1404-000000007502}56845316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.637{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.633{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.458{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}55084232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.112{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DD99F90CE78B6FDD6BB16318AB017E,SHA256=D014A54E2C7FF138A27B53F81443CEA9C34682CD782D044AC61127A9436AD1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.156{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F26DFBFE8759F1701392657736CF666F,SHA256=69AE37EC78474B00438B63BA8DE3C7C4ECC5F0184E23EA18225E559087C0A5FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000038747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000038746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\AddressTypeDWORD (0x00000000) 13241300x800000000000000038745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseTerminatesTimeDWORD (0x630df8a2) 13241300x800000000000000038744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\T2DWORD (0x630df6e0) 13241300x800000000000000038743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\T1DWORD (0x630df19a) 13241300x800000000000000038742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseObtainedTimeDWORD (0x630dea92) 13241300x800000000000000038741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseDWORD (0x00000e10) 13241300x800000000000000038740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpServer10.0.1.1 13241300x800000000000000038739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpSubnetMask255.255.255.0 13241300x800000000000000038738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpIPAddress10.0.1.14 13241300x800000000000000038737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpInterfaceOptionsBinary Data 354300x800000000000000038765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.229{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local56207- 354300x800000000000000038764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.837{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000038763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.561{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C0EB8F4D999C7B94BC67BF984FDDA4,SHA256=3DCF00E3DDD9EE72880AE0E79E299253BDADFAB7BD85CBD42DCB8D2B4EDBFB72,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.995{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.994{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.994{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.992{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.992{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.976{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.223{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA0BAAE1E6FEC4CB5B4C6846925626,SHA256=C8FD20671EDC4AABEF5111BA9AC9D7D4B215718BB2AAA87FD3B8A3ED41AA5443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.223{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11DBE9EE6274F7255307C006AEFF24,SHA256=08C1F7297DF0AF260FB02F306BBF912145C895359E5FF4DBD4F30D9C10B98279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.071{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.071{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.648{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10914BB0B03E9D72177BD2BA602DCAE0,SHA256=27ABBD12D3EFEA6E234A60A2530E2DFBF68E7E2E0DDEB3C10866377EA688BECA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.898{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.898{3AAE424D-EA94-630D-1604-000000007502}48081084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.882{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.882{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.787{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.787{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.786{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.711{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.710{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.710{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.709{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.706{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.706{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.702{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.700{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.688{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.686{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.686{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.684{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.671{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.373{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10949C81672D0630DAB1A5447F8DA38,SHA256=BFE8DBC1509F42F5ECAF4B173E407C215BA43F65E0EBF159628FF81B8F1D4427,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000038778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000038777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000038776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\FlagsDWORD (0x00000002) 13241300x800000000000000038775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\TtlDWORD (0x000004b0) 13241300x800000000000000038774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\SentPriUpdateToIpBinary Data 13241300x800000000000000038773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\SentUpdateToIpBinary Data 13241300x800000000000000038772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\DnsServersBinary Data 13241300x800000000000000038771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\HostAddrsBinary Data 13241300x800000000000000038770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\PrimaryDomainNameattackrange.local 13241300x800000000000000038769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\AdapterDomainName(Empty) 13241300x800000000000000038768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\Hostnamewin-dc-ctus-attack-range-146 10341000x800000000000000038767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.078{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000038766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.078{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\RegisteredSinceBootDWORD (0x00000001) 734700x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000038799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.876{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53957- 354300x800000000000000038798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local62674-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local62674- 354300x800000000000000038796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:b800:200:58f1:a3f5:cc7:ffff-62674-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local65335- 354300x800000000000000038794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53368- 354300x800000000000000038793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53368-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local50951- 23542300x800000000000000038791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.736{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B698E585547656299F0A4F20B56DE843,SHA256=3D31DE803BA9A50B499AB32C3C7F65476AF5D24482475B33739A33760A15A634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:45.530{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47185BC99EF771CCD7D119887D47C69A,SHA256=4A61C1D253085CBFC123B3A7BAD06193F07BF6ABE02250CCA31D618F11856A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.870{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63177-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.870{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63177-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.869{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local64384- 354300x800000000000000038787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.868{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63176-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.868{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63176-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.866{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63645- 354300x800000000000000038784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.866{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63645-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.856{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local54523- 23542300x800000000000000038782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.179{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD069C25EB22151368FCA3BDD133695,SHA256=9D149A7274627C0E9F320244B5747699D63365F8C0DC87239E445F769C8660B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.070{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC7D-630D-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000038802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:46.835{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A81D06E974D41596F1FD73476DBD2F,SHA256=CF5B7476B61DB3849CC230E95DF1DA69D991B2E46448492B8E63F450B25D3D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.847{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63178-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.847{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63178-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 23542300x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.631{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595DABE7F86CFB570EFEFEEF93F7115,SHA256=890BB4D8B84CF90BFB6F107F9EAFD39F5CC47227ADC43E921C00357C8148A8C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.226{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:47.701{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C36523BFC179D258569C928CB63D144,SHA256=F619D9B3748D2E90E9CE50E53965DCA1C6E2D944D04B0E86CDE5B28D0944AAEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.940{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63179-false10.0.1.12-8000- 10341000x800000000000000038810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.633{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.825{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:47.311{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D912B8A2CD3CC23650831279672B703A,SHA256=F270FEB2846C98668F53992CFE6588D2F7893F1908400EAD884ACFC58B210505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:48.805{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23220D6599827B8B8E8B11C5B003E3C7,SHA256=383FE9F98810CA4A8FCEC76A0FB26B3268E0B91CDEC24F644D4A36750693889C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.970{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.656{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46C29A3E4ADEC1E2EF5A68F0B1993E3B,SHA256=9B4D4C3CA81E1C9AD81D89FDCD0A7EA673D1602ED7504B1AF0394C2EE999EEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.461{BEA5AFC2-EA98-630D-1907-000000007402}32925392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.305{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.211{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1645A9F93484E04533EEEF94812C8E50,SHA256=1F9BA9AFF4F8BCF5C2E5BD8F52FBBA5EDD1AD1E1C5674353804A6EE606FA492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.023{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49622067C859CBD4D3DB2B34891D1FD,SHA256=BBB52DAC862545506F36E6BE1AA881A2F56651207EA4ECBF85B0D8138FE27CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:49.895{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8A2DD91D1A9F388DB3B82FAA88D1CB,SHA256=E38659D01F4EF0ACF3891875F83BEFF9819042ADFCD1360DA184444C1E8A4CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.992{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.988{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.987{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.985{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.979{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.966{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.963{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.788{BEA5AFC2-EA99-630D-1B07-000000007402}40404068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.641{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.637{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.629{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.619{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.617{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.615{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.613{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.587{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.581{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.569{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.562{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.558{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.549{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.541{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.532{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.525{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.517{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.509{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.467{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.464{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.125{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB860E5CB696B17DE761E324DE986ED,SHA256=B841CA39B1A19054A6778957309E5B8133ECBA76CD788922C5CA022C50F2AE73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.716{BEA5AFC2-EA9A-630D-1C07-000000007402}52246444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.567{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.267{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1E9AB4639A72DB5A682C87D6697BA3,SHA256=CD49302269002B66B401F6EF3DEAE8FD135225C2FD7039A4EB46E49E6E7829A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.949{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63180-false10.0.1.12-8000- 10341000x800000000000000038901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.886{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.768{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=343E2C0CABEA82090056CF1AE9005D61,SHA256=2309A24E6A5FB853F50FFD273061FC495FEA39A6C889996689A4AD9D2C46506E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.396{BEA5AFC2-EA9B-630D-1D07-000000007402}8765472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.380{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCA8384DF1C9B733A3594774A803B1A,SHA256=152C12950BCE026E5FA9903BC97BD075F5C6C6D85D074B91DBC990B6C9DC3E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.758{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CADA21B796BA609867964945EA5801E9,SHA256=11FD3F307617C51CB0847426672F5B4D2CE98D874B810F469C53322355FAFA53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.685{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.684{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.683{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.681{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.667{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.653{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.617{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.590{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.584{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.583{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.580{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.567{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.563{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.561{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.559{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.557{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.555{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.553{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.549{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.543{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.538{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.537{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.526{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.506{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.500{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.491{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.463{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.454{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.446{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 354300x800000000000000030235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:49.861{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000030234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.438{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.426{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.422{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.414{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.406{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.399{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.391{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.388{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 23542300x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.003{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E65C57D294147A8CC4D01D2F7F77EB,SHA256=BCDC664A5539811F34C94F89502EDF668E175C80515DA6169B516C597EAFA42F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.240{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000030280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002ddaa5) 13241300x800000000000000030278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x6e92ab0e) 13241300x800000000000000030277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0xd057130e) 13241300x800000000000000030276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0x321b7b0e) 13241300x800000000000000030275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002ddaa5) 13241300x800000000000000030273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x6e92ab0e) 13241300x800000000000000030272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0xd057130e) 13241300x800000000000000030271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0x321b7b0e) 23542300x800000000000000030270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:52.147{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CE364384FE2F269D2928A55F9176AF,SHA256=650CD698EA9C0ED35756285C42A28ADB2A70FB48C251F41519BE4636D504BDFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.616{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.607{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.582{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.571{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.561{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.556{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.551{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.549{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.546{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.543{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.541{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.540{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.536{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.535{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.534{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.533{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.532{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.531{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.529{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9BB27CEF1E8625294A0619F47C30F,SHA256=CBC72C3FC5CE703FA46895ECF5FBDE5DBA618C62CD3FE7BFDFA881797513D87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.011{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.010{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:53.560{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFC905B15CF30455ABFA72AA7C33529,SHA256=D0FC589E8FEC976B8562502B3D960E7CEB0526272E044A58494ECE010D5BB481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:53.305{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B40C687235BC2DACDDA9DD42A6327D,SHA256=84354DF18AC0EEDF393053A64F9B344528FB4D5AAC54EA84958489620E07F513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:54.658{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBDFB394F045B2CF86CCB0ED093F423,SHA256=CF770DCB6766CF7B667EC5F06E4F861132770EB4FA7530871A59CEC37A89555C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:54.392{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D314CEC2AF6CBD293DD8CB1EA91F077,SHA256=6198223DBBE6BCFF0104E21B321C49C1524A017D5F0E6DCEF9FE91083177D97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:55.764{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77F7229284CEE3D75D54F695ED46AA1,SHA256=539DADA64276793B575FACD0E700579DCEB3A4F4C6D52966A41E3B0654686476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:55.484{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B3805D88EE74C78FFEE9B5661FBAD,SHA256=442078EF6D8D1C273BD0DB8B74307F0AF52B3AA9A68531B4DCA0238712913C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:56.885{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E97F68C7A46CB24F9A5A4670572CD02,SHA256=A68964064986C3E11AB580FF16690DCBDE88E81F1B47F9DBF3A0E657C87D5915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:56.854{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881E9692FE973E5B90053B3160C608D9,SHA256=5800C7C34BA81AEA08ED2AED6626407B5F157B5C2F79D2E670DD6FCD6B8BAAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:56.578{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6107E8E4DC694DF8F2B16D3AB55FC61D,SHA256=AD69135E5FDE6FD44B75593C144D8CCDD8579148ACC5549DFDF7798B677BB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:57.951{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46605501E40B9AC6E14B47FA1C6EE6EE,SHA256=A4D399BF9D4E836027933BCA21FFA57CD6F9DBBB9EAD6E3FFA15CD6BE2240874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:57.669{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43761449C01E69AB0F6F45CD2602E79F,SHA256=75F1466943A366B6AB7E69934E31B6D91DFAAC8AD04D87A4FD185F7DF93264E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:55.834{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:58.660{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEC9D3D7FDCBD8D4F024D2B1A0F4CCB,SHA256=199DEF4351D7E17C92C24812ECE49D8130A68834DD201E1CC610015203A6C5EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:55.884{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63181-false10.0.1.12-8000- 23542300x800000000000000030290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:59.736{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88ECBF58C28EFD2B9198A92EAC775CF,SHA256=9F5B06711003A17A22A29B10B1EB220B8EA79E9336090BAF090EDE3C214C0148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:59.041{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797E52576EC4F0C02A6BCEBA2CA807F,SHA256=3E1D23D7FFCC044AFF82DAC5062C6D68E9F7EC3F703A0A4D063E199D547799D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:59.580{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:59.580{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000030291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:00.947{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC487868A046F6738DC51BB8E0D0ADFE,SHA256=D231D23434D99E1C1B114733AF76A5AB98DE7EBD41FC3BF850B90070E00069C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:00.115{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFBC6B40CA71E372BB452734BA87D87,SHA256=AD1A556F6C89EABC5F425BD1EB9C943859EEE00DD79B89C6598B4CAA2B494F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:01.205{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975160A4599013CC990111985D4A37,SHA256=7E664ABA07381DAF719E1503E14BE3D74FA98D46C69DFEEF2EAF819B8C6B3B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:02.309{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE94AB0A6FA61A3BE70836DC3857BC,SHA256=2D555A4C89D8260ADAB7354C9EEE0C1409E57D587FFC79B563FF8195D6C384ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:02.040{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C7314C0AEE9FE0DAC5CF41DDE8C7C,SHA256=A22C65E3B24F3477EE86B0FADC71168C782E2E314C026EC0B70DD930EEEE3B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:03.397{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900EA90A65C9B4283DB9D9017117A2A,SHA256=9DE3784FD38F0476B9F55D0074531259B1FB2CCC21B5AA603747F041F52A5B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:01.812{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:03.132{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F10791700E18D2885F1C78DC417F41,SHA256=37F8DF43C90DF8F44DD356A809EC81E7F7F25AAE40D13CCA12CE503A7B884339,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:00.887{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63182-false10.0.1.12-8000- 23542300x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:04.490{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7B01FC54031BA122C84DD9E1B2799,SHA256=8259D0E403F9F1F7A0351C2E9BB83C42C330B2DE680DC006CD7642A174754575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:04.321{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FB496BCD566B6D90FDBDDDC8956099,SHA256=49BD6DEEFBF8EE3E1807022FCC67C259E8C3D5B841978878801450BEAD3A90BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:05.578{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F80A18944F52C2C8A9F990C62FB53,SHA256=FD511CA4A60D648EE7230ED84B2EB83E7CFB8338B39FAE35DFA51539C6821BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:05.406{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3082505E08037732C10F7F8FF6FCAC,SHA256=6B6AE61ADBA2C94B1FC66AB17464CAF8652296CDE02C9A6CF310519F48D1ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:06.680{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C4D32BB4057A8F3F5FA0CC7FA84F3,SHA256=9899FA3F09864D73CDA03BB845451CDE51120FF715C7B57DA25CBA788FCD4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:06.499{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46F5E7ABEA8606C787406B8BB98A274,SHA256=4640599CC4B62896D854014975DB86A40AC2591AE447E021791E878547362848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:07.768{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34169F27C9701CA1D22854E6F5484AB,SHA256=E3A7DC9588218986D5690143DFED4EEFC191BEB44CEE6A66602AF5460A35DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:07.594{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9219900B237B7B3DE2EB22D377D6E7EF,SHA256=B558DDB340FC56E48956B56310944FEAC34D164E9CD82C795AB1963FD1C98DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:07.112{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-048MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:08.868{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F78F22F14185908197317B74BE163,SHA256=356E021046C1695E6E5B48C2A512B47C5BE5FCAACF84F405B9E05F5DE22CBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:08.803{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741DF723D17D76EEE73085E74FCCCC0D,SHA256=110C6FC6D5640D3D8633567A01C1F2AECB3EA4465C6E994B921D91DFFB487037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:08.113{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.921{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDEB71CC15860963FC62A1ED5374BF3,SHA256=86068DF81BC445239026A1AF25DDBABAEA18266C32AB98177DCC56093E66A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:09.895{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED860A78E184F3923F80F6362B87A367,SHA256=4BD0A1E89346699D2F30D6A63A5DB6E714E3BB8D3F069E2D654657ECE1F96FA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.701{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.693{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.690{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.688{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.686{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.648{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.639{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.619{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.609{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.601{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.588{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.579{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.550{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.531{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.513{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.477{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.470{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.466{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 354300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:06.885{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63183-false10.0.1.12-8000- 354300x800000000000000030302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:06.912{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:10.989{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60E8E274BFA07E796370A96EE20D3DF,SHA256=77CC8C28CDBAE7C6D7310649C2240CAB3E98AA9656F704755271D13E43392291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.150{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.145{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.144{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.135{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.130{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.117{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.114{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:11.001{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178B532AD48A29A08F53109CE2022363,SHA256=16543143B67F45EF493D99E399E4A556DDFB01DF0306D93ED068A863E9CF4E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.787{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E03694A0B5F5B15BA85475AAFF21DEA7,SHA256=A79A89497371F04E06280B6F6DCD22004457936CC6D48B5F9D8AC4F20D57B029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.722{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.721{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.720{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.716{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.693{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.668{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.619{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.609{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.598{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.596{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.587{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.584{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.581{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.572{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.564{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.561{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.557{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.551{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.548{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.546{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.532{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.515{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.513{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.501{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.467{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.451{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.443{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.427{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.422{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.411{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.401{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x800000000000000030347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:12.295{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8A16D8AC9DC70A6CF925A62941EE28,SHA256=3DA7F85E58AD642A53FA27E33974DBB909EDD5F73EC09A89377D27BAEEE67682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.783{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.773{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.739{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.732{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.720{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.714{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.712{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.710{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.707{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.703{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.701{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.700{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.696{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.695{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.694{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.693{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.691{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.688{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 354300x800000000000000038975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.248{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63184-false10.0.1.12-8089- 10341000x800000000000000038974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.170{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.169{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.094{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86F7343075130CDFDB496FFBD1DD65,SHA256=B7964310678112C2671742EFE983887323499E333CA34A80B8899F73262DB107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:13.375{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7663AEED35D52A0A3FD94C3216FA59,SHA256=7359735CDC6EDC2C2CC8C86A1DABB1ABB79D79ADA8548649E854E45F66D3ABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.166{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2ED788909F798FAA818375D43B256F,SHA256=5F43576A85FB8E6500BB51E6474207489EF5F06813B3F40778F29B8FC32515DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:14.574{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4722BC356272950027163E46893A4CB,SHA256=B675BD7EEB500CF4181CA429456455B7DFBFF1A07765C88169B6FADB15723543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:11.929{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63185-false10.0.1.12-8000- 23542300x800000000000000038996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:14.246{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695DC0C3F0985EC98CF2EDA84DE00157,SHA256=99F39FF3BA285AE538CD5AD7E7D6E4801960DC6131C51619227164B795239401,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:12.818{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:14.476{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2309E414D91C0A44D3B1CF58BEE0AFC0,SHA256=46A508086596CD9450AE24FD21D8A8BF3DB820A44ECB9D83DD98CCBAAE076254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:15.335{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204EF3AA4D050D5C0B21F75FA0638623,SHA256=5B7014CF4FA898B3D29F938D607FE326737F9E61111E3AC3DD25A34C0BD54E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.238{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63186-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.238{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63186-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000030351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:15.563{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA52B9CE694F7A31A3FE26172382622E,SHA256=3A4631047E8F7CBD18A3B748C231078762DCAFA1E4A01FCB79106DEB33D4D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:16.654{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E119E84A3AF1E735B1917C88BB1871,SHA256=020F3D81EAADE730F11EB75EDAFE725B193C5D56096103FFD0FB76F9EDD7410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:16.425{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1334D23148D087878E14C892079AA676,SHA256=B4995879B294738A202348B27FBBA40A554B59C8B5BF8DD8C32951CD213469C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:17.855{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A7099BC5A6C6D283DF5E89826DD31F,SHA256=0AD4AABD7CF5DC5B79316C3B3BE63C27C5B7F6357FB59EE86A5E9D3682CD18B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:17.517{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D862E86B2C37681B11B368D0CCA12C44,SHA256=AF7E4D05C72A9236116331FFA3165437DB890E40447957A1E0186E49CBA23ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:18.604{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62FAD0D2CD6E3D2C983E4171AFD8CD2,SHA256=51C7CE123552E3C379A55EF681C856F980C6684CA89BAF0CAF1B8219DA38F8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:18.353{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6917F5564AADD5AFE8CBE1E04E1B97A1,SHA256=F22FBD203E2B03F336611CA7D40C5E97395DD8970596BD9B21F2BAC3560830B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:19.705{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02273450FD81A9EA482F8351E249A8E8,SHA256=98A3B9886116FDE9AE225B5F1933F6C9E8B1C7EC8960F90E8AF3B10A1F3A684D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:19.060{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B466979609262287C3FE5BE03FA4A643,SHA256=9F8688019090928FBAAC0004D87064D3FBBDF0EF5DDE1E9EA08B88C092000CDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:17.888{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63187-false10.0.1.12-8000- 23542300x800000000000000039008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:20.794{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043BD8AB1244192F46B3D3DEE0AEDCC9,SHA256=621D7B0A3699CE390D2655E7A2C2354F71145F2282CB04245650E26D87764B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:18.722{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:20.147{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618BA89D4CC8359798ADC3CD1A7B5492,SHA256=0F9D977B7558D8B65E1F5336BF0E12DC0A9A1226074AD0380254B7CBDC6BD18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:21.888{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FCF94ABF7CD8707D3C15A9769878D7,SHA256=933D8AF96D9F33B2C68394EDA481CF10FA7994348ADEB4E845A2FF958FA0EA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:21.237{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE67308E9A1DF15A6C382ADD563C39,SHA256=7900C76E7B6B8A246E8F35A2FC0E430DECBFDBC15671C4C4208CC29323E56593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:22.993{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813DBE5D91A820CB0CC4B0095CFFEFDC,SHA256=F9A2C9EC9853E2DE8DC9022C9024C127D2F72008B5E8214CFB987103D924C559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:22.328{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C70AD1A3AEF5836B3A78FAEAB1EE9,SHA256=F5707AD60449437B4E1A93904A3C4270E8C997AEDB731F06494105FDF1D1D683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:23.406{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5972CC26FC51D76895DF0DC5EC72E03A,SHA256=A8FDF99000D3703206009EE84320C1465C22E429C84C2084B19BC55571FAD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:24.500{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEDD997ED09A654AA504434B55B3792,SHA256=1CB8BB5C28A643675D4ADDCB5741B79062A8DCA5A5E0994A6D348269EFC5BE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:24.098{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30CFD74ACDC4647DA6CCC07A05466BA,SHA256=534BB3BBC96C5B1136194BB75D29D7FECFB47112A1D21016735EAF15E744939A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:23.898{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:25.595{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1203AEFA0733BABE40517BFE1086E857,SHA256=02C80CB718011B145F3CFA97C83291211FCE90289AAF13F13EA27D4A7118EC9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:23.826{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63188-false10.0.1.12-8000- 23542300x800000000000000039012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:25.184{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B568CD46073864553283005C18E80F00,SHA256=5A3B707556D86734E2887D0D754BF11FBD75C3BEFE00B2424C5810C30E84482D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:26.688{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37837B4F7249052A0B33A1F146F8FA2A,SHA256=6DD143E9032E3F317EFBB006BA3A5531794A4D5521ACA20B8805B66344B67DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:26.274{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B044091E04D7D9E46DD4BFEC0C5490,SHA256=00BD7512CE70BB0085D283F8AF9C09648B29D05F0C8E659906F9CBA17D012B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.777{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C158543F5C6D94FC0FC745E9E06574C6,SHA256=742EA018C9932AE8D40768ACB77BAB42B1D6E5D9CCF18EAE90EDA7BE3681C894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:27.368{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC977BB173CE9B3DB22E351BCCDE053C,SHA256=0605E30E91C2ACC62E4B2FD63B4595D0C64D418A0868C5BADBC1778C37488A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.385{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.461{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBC8288DB499EA68CD7F3D9458419DE,SHA256=12BBD39154AB88226CFD311F64EA6499B4B3162B82041739DC2A602DCEBE5140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.641{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.638{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.636{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.634{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.608{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.602{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.588{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.580{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.575{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.561{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.553{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.543{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000039024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F17D97EC37772DB2B9262F3B496EBB,SHA256=86DD5D05F05325C67997BB94A337B00CBCDDB8D098B1E811A474BAE680FDBF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.536{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.528{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.521{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.482{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.479{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000030367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:29.092{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A551B3C7EFA3C158F50684CBBAD6E246,SHA256=8A7BD8A5D25E8D4FE7818F2734094D703891B94882179B22F851933F3F67E114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.079{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.370{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-058MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.009{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.898{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68819F53B54199F85B017805422C49AA,SHA256=AD174A554517E69C0F5675E3035C8A2C1FA50BDC65F86E61127C57EF12E8862B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:30.078{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E454B71A30847E6A65F56A7779AF5EE,SHA256=67FE54E62D73C5FABB2F6C1E0F7ECC85937E4B76F70C42AE7337B0D20625669D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.374{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.786{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63189-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000039045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.786{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63189-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 10341000x800000000000000039044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.121{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.115{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.114{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.111{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.103{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.075{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.071{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.923{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B58865CD1A3430BF223D7CF74D0A7C,SHA256=D8108F772FB27F91D0A7EF9C30FA6F233D08DA1F707384F0FBF3E990D582A3F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.921{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.790{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.789{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.789{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.788{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.747{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.716{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.708{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.694{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.691{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.688{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.686{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.683{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.682{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.660{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.659{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.656{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.655{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.653{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.652{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.648{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.645{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.638{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.634{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.630{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.620{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.595{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.591{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.578{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.526{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.513{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.500{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.486{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.459{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.449{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.442{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.433{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.425{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.415{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.411{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000030369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.164{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE3DFA4F86AA3A3AE97B86B8CDBACB,SHA256=BBD03F2BBDB317D748CCBC80D7ED48BE61A2DD53006C94582231084AC77A0A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.909{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63190-false10.0.1.12-8000- 23542300x800000000000000030412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:32.455{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3E7097D72DA3F849B0D30837CE5AA8,SHA256=81EDA6729B953BEB7CE729143DB75B6047C758F4581BB533E7D49D0EEA7E6BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.915{BEA5AFC2-DC81-630D-0D00-000000007402}9123812C:\Windows\system32\svchost.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.739{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.732{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.707{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.701{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.692{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.687{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.686{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.683{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.680{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.668{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.666{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.665{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.660{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.658{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.658{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.657{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.656{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.655{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.141{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.140{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 354300x800000000000000030411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:29.772{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000030462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 734700x800000000000000030461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DA,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000030460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000030457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x800000000000000030456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000030455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7,IMPHASH=5CFF0D3EC414472191BC623FB107BCF1trueMicrosoft WindowsValid 734700x800000000000000030454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.705{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x800000000000000030453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.705{3AAE424D-DEE3-630D-1400-000000007502}8641136C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x800000000000000030451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x800000000000000030448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000030447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x800000000000000030432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x800000000000000030431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x800000000000000030430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 10341000x800000000000000030425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.651{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000030419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.651{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000030418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.649{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000030417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.646{3AAE424D-E5