354300x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:43:58.901{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:00.451{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EA3A6E057AC6F8A68A2847A7392575,SHA256=8A7D8F4BD72BE141D565DE11DABEB8740C122EC3141B85C2ECA7DBA4277392C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:00.476{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3517B873015C4D6EA41DF5205C9A8C7,SHA256=22EE0BAC2336933BB6C52B7D97D716814DE7CDAB9594F5413DCDBBDC36C75AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:01.546{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3584944DC68F612D4ABD001BC0E9A98,SHA256=817C019C8D121B1EEFA8FE2E81D760E60A6FB8DBB7A275168DDD0876BEA8729A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85900C07E21B04C5A0E968506C62D12C,SHA256=FAF60BBBDF6B08C3362FEAFA25F16E223F92EB52A28F9201A84B6F77EBBB8DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.851{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79166572D7319749DDD80585C8FCC6,SHA256=57E7952DA2B301F3F5911884E5CF54969F2258C1119AAB3BC803154C1A3FDFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.652{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB706ABFABE1936C57CDF8668695993,SHA256=C74E31DAC39AFCA8B00A37B80215337D68F016431048715F54F1ECE9966B4085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.533{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-045MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:03.746{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E946A171E1B3377EDD1859DF0B55A7,SHA256=7D31F8C66F3964DDFD6B9622AAE97E4E63C40F5271130D7158C7999F83B78665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.532{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.837{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53684-false10.0.1.12-8000- 23542300x800000000000000037947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:04.833{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA00F42781775BADF3800619CDFA670,SHA256=F90CCFE89950F5C15713CD9B462C4FA0BDBD67F9B55B2195C2D3937B4E3E45E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.291{3AAE424D-DEE3-630D-1400-000000007502}8641180C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.021{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C698B244B741A4851055AE30A9667,SHA256=7C182F43639C5D2949E0D2706A0D91C31BAC9EB58E97D6773F4CB2EA448BF4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:05.934{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72473F15DADFAB212999E0C5EED478,SHA256=C9DDA93340D2EC088CBF7F9802C4E838FFE6D48627617A583C06BE90AABC95E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.937{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50265-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC880F50F8C4A4F68C39C22C11C1951,SHA256=C29F29F77A58F08A953C9DB358D3A03E8F391EAD31F994DCEA3D491E31663536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.120{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B137FEBC54019DD1F01F25C3560999,SHA256=834D06451A4D0542FB6AD33A2C364D3735A47899CEE28ECD6D08B89D8D85D9FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.211{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB928D40B2061134735B869B5C1344,SHA256=E3DF81EDAE4B794A4E2DE0591F702A8446172755D30597CC2390BD306B3F2E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:07.297{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.021{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE65D8DC350FF157A66CE0485428F4B,SHA256=82640DB4C88D95E0B95CBD5B7BFA713CA021B106F5659324020231D893E9261C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-1152022-08-30 10:44:08.706C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.690{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.595{3AAE424D-E695-630D-9303-000000007502}28646088C:\Windows\system32\conhost.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E695-630D-9203-000000007502}55046024C:\Windows\system32\cmd.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.538{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.485{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F31491D29246E767555ABA248A03F2,SHA256=FAF2EC6D435DE4D8CD3B0F491F319B5168682C66AF9A604978C54511B91C7927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:08.108{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E706425B50B1802A7203FFBFEB0E85,SHA256=FF700F151EB900692ECB32AAE0124DB7CFFCC777315D493D772E3820A66F9C5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.673{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.719{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=033D337EF9B8FCD8F92FA195CDD9F965,SHA256=F98CAD59E4BB8F6A01BDD100AA3264527DB9B0164C49AAD169D0902FC0CFAFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.718{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.717{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.661{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.654{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.651{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.649{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.647{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.613{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.599{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.592{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.586{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.577{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.570{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.557{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.548{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.539{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.472{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.469{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.413{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.195{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD1309B2B4B62079D1DDD764C2DF63,SHA256=BC15E07E1D061B92C32871AB7786128C18DBA6720909DDA4B36407522311DD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.767{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.526{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0229918CE4A16C202E7D4445110F75,SHA256=29EE99F7A3DD195959F51E0BA83EABE0429EBC28C03BD9A0CE96E41323D60BA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.979{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53685-false10.0.1.12-8000- 23542300x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.330{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11D1BFD3431EE1F39112B2CC277BDF01,SHA256=F9A661EB1F4EC8F60149903272DBEAF25EC477B2647D2F72A849DA027233ED93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.234{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.233{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000037981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.172{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.165{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.163{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.160{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.152{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.134{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.129{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.835{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:11.345{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE42F2FA96D3765D6970AAA32E77519E,SHA256=01370F3B8F1CE391DC6548B6FB41EE50A9F2C865DBB4CFAE087C878644094A0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.175{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53686-false10.0.1.12-8089- 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.722{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.702{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.686{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.681{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.638{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.594{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.579{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.575{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.566{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.554{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.538{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.536{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.526{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.508{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.504{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.495{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.460{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.454{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.445{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.434{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.422{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.416{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.399{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.391{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.930{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.822{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.812{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.806{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.779{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.767{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.752{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.747{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.745{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.743{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.740{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.737{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.735{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.734{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.730{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.728{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.727{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.726{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.725{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.724{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.722{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.322{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49FA525D37239854E572EA0A6DCB2E2,SHA256=CE5B057DAEF77E0EE524352EFC545A4625B0498BE0C2720FA23F3D7978EEBE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.270{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F686C1066F92F522E7917B50417D00D,SHA256=8DCA464C7F33A4C87B13749F96AD5ADD5BE5B350D29F1F4BE74F39D9CB736CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.081{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.204{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.203{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000038009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.389{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983004FFA18DC64ACBD3FEA99DC0B9CE,SHA256=607D84F30B87B5FC262E373ADA8C88D470CD32F5783CC7908B70A04FF835D4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AB7CBC043F030D8539BF585A88299D,SHA256=2442E02F72D98C2E2448328E212709F6EBB5D24CF52BADB93E1E3C8300E4ABEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D735EF27421EDD24F626FDACD61BF910,SHA256=FB5837E244ED0ED4C8C701C2B3FBA66FE52F64D660C4C312F72BEC79FDB34C09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.022{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90A302BCCCC711DD8D227ACF7915589,SHA256=09AECC544E61A0901E4EB175B6569BF4B26D9651E0F8F83A51AD3DE4D178925A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:15.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DE8C811A88763B5CBF744B05557B27,SHA256=E8E3C3B73D2CAE8EAA1E8C9898536C16F2BFB8CFBDC39A55C2EA1FB324265B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49F83F67D80C84CC3BAA77C56EDF3D5,SHA256=FE15AA12324C620532CDA28E3BCC1932BD8F7F926C76881CA65A5EE72A17EAC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:16.669{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C2DEA8C0DA76A6E871CB168EA0BEE7,SHA256=4A30C8052EC0CE1CA15D4327F7148D22D5FC62B4BD9E9B943B4B78407A863EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:16.540{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.831{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53688-false10.0.1.12-8000- 23542300x800000000000000038018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.937{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D950CBEB36728E04F5B7BB8E9B28B235,SHA256=54FE49583082F96C4D72B0FF762ABFB5469E85B8455988BBC6F222E45C2D8F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.765{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7C9A11E946204FF9F57612695DE3A7,SHA256=7788461604BD3AF751D9874AEE286A141FA46C037B42C22F7199393DE940320F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:17.630{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.849{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B16FAFB0F015AEDD738F015DBFD1A5F,SHA256=FF11FA7C8D65FD0E9F5E13CDE046F0BE22936627A44F1786C22DDC0E198A56E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:18.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.731{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:19.944{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1B610B3769ADE5DAF0739CFFBB0AFA,SHA256=2416C513D54E3A5A0DD813AE09B4E5B1854229061FA72443CA4A0536B06E1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:19.809{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5548150173B08F213ABC0AAEF5BCD,SHA256=153DC5E6D287E2E55552300D0B090ABD2661E0A01238FDC199BEBA5AADCE0364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.892{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:21.984{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.970{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53689-false10.0.1.12-8000- 23542300x800000000000000038021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:21.022{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A1EBE658C5573C0011C5C2C5AF07FE,SHA256=5C8FA5EB9454E75814CA2D570AC169A3235303CC93415DE00B373F52538C93FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:22.097{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C54C843DBCB6645790E88793FC976B,SHA256=FEB940C8BE2DAA33BA1F4799E86C3B5EC42CB7127D5B5F2E7EA8030E14577999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:23.177{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F999F60D9FBC7A776717EC803C6FB48D,SHA256=F62AFDF470F0B8D4639D8F53DDE7628123192ACBCCB613B5D8045E9639358382,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.836{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:23.071{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.793{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-055MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.264{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C89737ED47EC34DD49D1C8E559A045,SHA256=E7F60056532AEB4BC686FF3A953CBE9528FB3D1CD024C14D456713FA42A02FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:24.160{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.798{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.336{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB0F1B7AB3786287FFA9121FA27BB37,SHA256=6C6C11CA784FFF6E9E260848FD1D8C7DA5A9522C45331E2D4F637621A5A090F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.250{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7DEEB84617FEC82F950C12351D6AB9,SHA256=63C7E985097508F6D2CBF0FC09DAF937FBD0CFA8DA43409E46019C19C25A38ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:26.425{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DEBBC91BCA763AEF965A7257E8AE14,SHA256=E6E3704685AF196D16BB70191758BF7624605B36BFD0A76829E80CEF7AD39EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:26.337{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B5A4B161F96C329D79F55E34FF2BC4,SHA256=856699CB41CFDEAACB3F569A853AC5988A9A653DC04ADCEE2DEDAFB744090315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.523{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36993607D3F713D53B01C9B02AF36C5,SHA256=78876D0C7751AE36D31AE717675246E92F093B20A45E66E012E856E4BACC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:27.516{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34B4EA953EB98139BB6819BD0663A49,SHA256=91A0461F8E905047E720114B854D90FD9EB06F3609102EA4BAF3B5053180045D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.848{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53690-false10.0.1.12-8000- 23542300x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.311{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:28.831{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05D311497D11C1F3FFD01AFF624AD2C,SHA256=F21C0B961C6953FD9BE1787DCD8A47EEE8724F1934819557210EFFF3556AE207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:28.493{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE592E82697E8D9EF8611A2259A025A4,SHA256=F4C802397E100CBC47AD49B0D39C0ED2A0E32AD67A33B3B13DF70F4FE868DB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.000{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.913{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:29.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443D79DF536FEADFBA538A991C6A97,SHA256=AC76FC7DC7138E713DD3EEBA5D560AB4D8759B31EC61367ADEC4D9DDB672BBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.651{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.648{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.617{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.612{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.592{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.585{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.581{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.578{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1119ABAFAA87DE0351B638A860CA6E3,SHA256=0C622A28D5F97A271C5EE4C9AEB2E2F9CD5EFAA5DEBB520B04E55CA6C47DF67A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.573{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.566{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.556{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.550{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.541{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.533{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.474{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.471{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.628{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08625789869DF1F725DF77E5CDEFAE63,SHA256=845C705C64722641406408D6516E8CC6BA00A70CB4E13B1C9B125D8A5B53182C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.082{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.075{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.073{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.070{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.058{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.042{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.721{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005940CF9D7FD4C47337EAD1CC454C13,SHA256=CEA32CC5198E07B820ECBC0F1C23EEF44FF491F5AF77C7C27BFBB709F50E1856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.882{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.879{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.861{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.848{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.844{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.806{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.796{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.766{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.759{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.748{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.745{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.742{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.739{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.738{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.733{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.732{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.730{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.729{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.721{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.714{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.705{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.676{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.649{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.646{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.557{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.549{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.530{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.520{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.490{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.439{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.402{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.392{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.014{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A01EAA5C3CEDBC0903EBACC83E4045,SHA256=73726D99D5ADF63FEB65853A7790C7B0BAA86DF7A4A402C0ADE6DED7275A4CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.796{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D9DC46D5E09DE0DFFEE6E2A21B5F43,SHA256=F9C6CFF4F2FDA7B85BDAF7C738C9A370E65D77CF2284E21CE129BC95C35D3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:32.301{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70167EF8C0E6E94B47B6433BA346C9D,SHA256=1804F7C9AE0D77F6339006FCCAED3F6B7C332D90C222603DFA736ADF28E94A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.721{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.711{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.705{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.685{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.677{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.662{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.655{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.650{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.647{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.645{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.641{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.640{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.638{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.637{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.636{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.635{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.633{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 354300x800000000000000038064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.936{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53691-false10.0.1.12-8000- 10341000x800000000000000038063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.115{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.114{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:33.890{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3736D375656AE40AE985F878959ABCF7,SHA256=831A763F548D7847FD5F24657429D90CADB60C13D0027943B90F6613735A3C56,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.652{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.643{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:30.943{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.376{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7033534DF55AADCEFCA8DDBD2685C88,SHA256=D356F1958BAA2C4DF39702212CEBDFB9F07FB0598161C3ABFDA89A31189CE26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:34.968{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C9398F04E80383717E4BE68E8FCE22,SHA256=6255A7992ECD24D2D8FA863246B9FB28F7D52BB22BA2BA0EF058263658DC6369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:34.586{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFD0CDCD76C4EA2CDCD3F4EE5FC01C,SHA256=50F0633B3596A8BD5628D8A434AB4B353F6746F1397151D72170D119517D1672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:35.686{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A900FFF75141C53943E1605405DFA0,SHA256=7AFBC71F3E588EBC218E78ACC7E4FFF3716D926C4AD78F6D384E313238799072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.772{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:36.054{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FBF9A71C094B8DC39232A42A988A23,SHA256=72D919A21BEBEB3123D51E24F75A0F4C3F5AF42B64CB9F67FCC2AFB7562C7132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:37.871{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390570611BB626E99212E4AB6F5A545,SHA256=EB5FFA73600593F3CA0C0EDB4172289952CEC338BF707F1B88F8CB1A3BD74EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:35.847{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53692-false10.0.1.12-8000- 23542300x800000000000000038089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:37.150{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3174B7C332D31B6097C3C5F6C550E06E,SHA256=D676E3CFAF72785008EDA8888BDE8A9E46A3F4C9810FADC804FC9DACE17723D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:38.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62124A8A82D9DDEE9E87602AD69B4B5,SHA256=2B597183AEF571206B0DC52A1942F433FCB391CF006B9CA009D09312C3B45D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:38.229{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F718EC4E85A22D4C126E04E4EEC7F97,SHA256=7F88964417CF2E1C511EF5DAB36D30330ABC4A464E6D9D1579936E80A0DB191D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.858{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:39.316{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE9697B3B4080321D443DDE5B90F622,SHA256=93B60B2254BB08F34FFC8F20798ADB8B34990A8900B2A47F8A4543922FAE5EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:40.403{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C6F8FC64FB808D2FC17FC489A1059D,SHA256=5EFD6E481BBDC71E16738A202E2E9498DD61FB5C563D7AF7F6E68B693546C371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}5203608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.736{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.062{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31637210A1FF235D9B78D3A49A95A63F,SHA256=1B58E73C11E84F0C30039877AD21087E6B54CAD5BB5FA98CC0C494214E5D8077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.504{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B442229FEBE9CABFCBC4C501B23487,SHA256=365B4861A2CE6DBE814E4D4C106A77B1B5522357B4ADEA85D3E56743519FFD9E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.891{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.736{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BC9000A2C4D80A124283CE59F6789C86,SHA256=8312B03E71E50A8ED176AC9C694B0C7729273413EB8C19D28D6D6EE77461F8B5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316D71A11DD63DBEF874798790802302,SHA256=1B42F629FA7B61FE57FBF7BBC42B0E5CBB2158A45C0544EF5B3CEA3C42C24F24,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C1130532EED3D77D2CD7CC2B1BA39AC,SHA256=54BB5AC401863448373CA9CC23A3DBC052060FFF73D7F9D53FDC52BAD6E9582B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.235{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.608{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2314A40203E82E8A6C1437451AE7AABD,SHA256=3D38689840FA46D4CF24BDCBD8245B4CB6998CA430C33ACC19A2F35AE0636D71,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}13244628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01425AA7143C66AA0A64B8D378F868E,SHA256=5725676EC8BA42AA48619C3EBFC2F18875D25C74E4FEB98BAFF05DE2F0036A23,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.410{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.138{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48E524A2A4515C03754E07644CE453E8,SHA256=BCD35ED76E09560E087FD1E24D44CDF87B334F46A0E8DB466D0D039AD3ECD097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.000{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D5229B56261CA868DA41A2DC8E2380,SHA256=CEA8EBFA4A36E6FA97B591805F3628612246D41EE955F049426F04E8CF2137DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.816{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53693-false10.0.1.12-8000- 23542300x800000000000000038097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:43.709{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804B5270C40F9981ACE78763A14F959,SHA256=2CF87D342F074506130E34908D5A2E114BB009C503B6CA3F14738667578AE106,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.982{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.981{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.980{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.976{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.974{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.954{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.750{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C52FE1A69DCDB9445A9CA3AFFBB950,SHA256=3F58200733D4F4F8D805C5BBDBAC176160214170B1C664E950A16ED1B2D44050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:44.809{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CC99D5D33D0125F53F4C88FF7B66A5,SHA256=3C3C49DDF0E01D277908201B3EC4C96DDF4B91423160E17ED2815F305AAB01FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603519BB69EC00D9D74C6487FE355E8F,SHA256=B7D00DB9FB676C5D2E779548DECDBAE337552AD5F382F01CBDD8577CF88865D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.906{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}52485704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.944{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Wi